From de47b3381fca140ec0ac3cfb38ff9fa3078c2d97 Mon Sep 17 00:00:00 2001 From: Bharat Pasupula Date: Mon, 18 Sep 2023 11:58:51 +0200 Subject: [PATCH 01/17] Add logstash to stack as an optional service --- cmd/stack.go | 1 + internal/install/application_configuration.go | 5 + internal/profile/_static/config.yml.example | 4 + internal/profile/_testdata/config.yml | 1 + .../docker-compose-stack-logstash.yml.tmpl | 176 ++++++++++++++++++ internal/stack/_static/logstash.conf.tmpl | 32 ++++ internal/stack/resources.go | 3 +- 7 files changed, 221 insertions(+), 1 deletion(-) create mode 100644 internal/stack/_static/docker-compose-stack-logstash.yml.tmpl create mode 100644 internal/stack/_static/logstash.conf.tmpl diff --git a/cmd/stack.go b/cmd/stack.go index 95270564e3..123edc1a87 100644 --- a/cmd/stack.go +++ b/cmd/stack.go @@ -24,6 +24,7 @@ var availableServices = map[string]struct{}{ "fleet-server": {}, "kibana": {}, "package-registry": {}, + "logstash": {}, } const stackLongDescription = `Use this command to spin up a Docker-based Elastic Stack consisting of Elasticsearch, Kibana, and the Package Registry. By default the latest released version of the stack is spun up but it is possible to specify a different version, including SNAPSHOT versions by appending --version . diff --git a/internal/install/application_configuration.go b/internal/install/application_configuration.go index a131ffab82..f7a4946f5e 100644 --- a/internal/install/application_configuration.go +++ b/internal/install/application_configuration.go @@ -29,6 +29,7 @@ const ( elasticAgentCompleteImageName = "docker.elastic.co/elastic-agent/elastic-agent-complete" elasticsearchImageName = "docker.elastic.co/elasticsearch/elasticsearch" kibanaImageName = "docker.elastic.co/kibana/kibana" + logstashImageName = "docker.elastic.co/logstash/logstash" applicationConfigurationYmlFile = "config.yml" ) @@ -87,6 +88,7 @@ func (s stack) ImageRefOverridesForVersion(version string) ImageRefs { ElasticAgent: checkImageRefOverride("ELASTIC_AGENT_IMAGE_REF_OVERRIDE", stringOrDefault(appConfigImageRefs.ElasticAgent, "")), Elasticsearch: checkImageRefOverride("ELASTICSEARCH_IMAGE_REF_OVERRIDE", stringOrDefault(appConfigImageRefs.Elasticsearch, "")), Kibana: checkImageRefOverride("KIBANA_IMAGE_REF_OVERRIDE", stringOrDefault(appConfigImageRefs.Kibana, "")), + Logstash: checkImageRefOverride("LOGSTAHS_IMAGE_REF_OVERRIDE", stringOrDefault(appConfigImageRefs.Logstash, "")), } } @@ -95,6 +97,7 @@ type ImageRefs struct { ElasticAgent string `yaml:"elastic-agent"` Elasticsearch string `yaml:"elasticsearch"` Kibana string `yaml:"kibana"` + Logstash string `yaml:"logstash"` } // AsEnv method returns key=value representation of image refs. @@ -103,6 +106,7 @@ func (ir ImageRefs) AsEnv() []string { vars = append(vars, "ELASTIC_AGENT_IMAGE_REF="+ir.ElasticAgent) vars = append(vars, "ELASTICSEARCH_IMAGE_REF="+ir.Elasticsearch) vars = append(vars, "KIBANA_IMAGE_REF="+ir.Kibana) + vars = append(vars, "LOGSTASH_IMAGE_REF="+ir.Logstash) return vars } @@ -112,6 +116,7 @@ func (ac *ApplicationConfiguration) StackImageRefs(version string) ImageRefs { refs.ElasticAgent = stringOrDefault(refs.ElasticAgent, fmt.Sprintf("%s:%s", selectElasticAgentImageName(version), version)) refs.Elasticsearch = stringOrDefault(refs.Elasticsearch, fmt.Sprintf("%s:%s", elasticsearchImageName, version)) refs.Kibana = stringOrDefault(refs.Kibana, fmt.Sprintf("%s:%s", kibanaImageName, version)) + refs.Logstash = stringOrDefault(refs.Logstash, fmt.Sprintf("%s:%s", logstashImageName, version)) return refs } diff --git a/internal/profile/_static/config.yml.example b/internal/profile/_static/config.yml.example index e0f700f692..76a28a71bf 100644 --- a/internal/profile/_static/config.yml.example +++ b/internal/profile/_static/config.yml.example @@ -10,3 +10,7 @@ # Region where the Serverless project is going to be created # stack.serverless.region: aws-us-east-1 +## Enable logstash for testing +# Flag to enable logstash in elastic-package stack profile config +# stack.logstash_enabled: true + diff --git a/internal/profile/_testdata/config.yml b/internal/profile/_testdata/config.yml index 77df9e7837..0eb5991f74 100644 --- a/internal/profile/_testdata/config.yml +++ b/internal/profile/_testdata/config.yml @@ -1,5 +1,6 @@ # An expected setting. stack.geoip_dir: "/home/foo/Documents/ingest-geoip" +stack.logstash_enabled: true # An empty string, should exist, but return empty. other.empty: "" diff --git a/internal/stack/_static/docker-compose-stack-logstash.yml.tmpl b/internal/stack/_static/docker-compose-stack-logstash.yml.tmpl new file mode 100644 index 0000000000..0ae3ef9dbd --- /dev/null +++ b/internal/stack/_static/docker-compose-stack-logstash.yml.tmpl @@ -0,0 +1,176 @@ +{{ $username := fact "username" }} +{{ $password := fact "password" }} +version: '2.3' +services: + elasticsearch: + image: "${ELASTICSEARCH_IMAGE_REF}" + healthcheck: + test: "curl -s --cacert /usr/share/elasticsearch/config/certs/ca-cert.pem -f -u {{ $username }}:{{ $password }} https://127.0.0.1:9200/_cat/health | cut -f4 -d' ' | grep -E '(green|yellow)'" + start_period: 300s + interval: 5s + environment: + - "ES_JAVA_OPTS=-Xms1g -Xmx1g" + - "ELASTIC_PASSWORD={{ $password }}" + volumes: + - "./elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml" + - "../certs/elasticsearch:/usr/share/elasticsearch/config/certs" + - "{{ fact "geoip_dir" }}:/usr/share/elasticsearch/config/ingest-geoip" + - "./service_tokens:/usr/share/elasticsearch/config/service_tokens" + ports: + - "127.0.0.1:9200:9200" + + elasticsearch_is_ready: + image: tianon/true + depends_on: + elasticsearch: + condition: service_healthy + + kibana: + image: "${KIBANA_IMAGE_REF}" + depends_on: + elasticsearch: + condition: service_healthy + package-registry: + condition: service_healthy + healthcheck: + test: "sh /usr/share/kibana/healthcheck.sh" + start_period: 600s + interval: 5s + env_file: + - "../certs/ca.env" + environment: + # Is there a better way to add certificates to Kibana/Fleet? + - "NODE_EXTRA_CA_CERTS=/usr/share/kibana/config/certs/ca-cert.pem" + volumes: + - "./kibana.yml:/usr/share/kibana/config/kibana.yml" + - "../certs/kibana:/usr/share/kibana/config/certs" + - "./kibana_healthcheck.sh:/usr/share/kibana/healthcheck.sh" + ports: + - "127.0.0.1:5601:5601" + + kibana_is_ready: + image: tianon/true + depends_on: + kibana: + condition: service_healthy + + package-registry: + build: + context: ../../../ + dockerfile: "./profiles/${PROFILE_NAME}/stack/Dockerfile.package-registry" + args: + PROFILE: "${PROFILE_NAME}" + healthcheck: + test: ["CMD", "curl", "--cacert", "/etc/ssl/package-registry/ca-cert.pem", "-f", "https://localhost:8080"] + start_period: 300s + interval: 5s + environment: + - "EPR_LOG_LEVEL=debug" + - "EPR_ADDRESS=0.0.0.0:8080" + - "EPR_METRICS_ADDRESS=0.0.0.0:9000" + - "EPR_TLS_KEY=/etc/ssl/package-registry/key.pem" + - "EPR_TLS_CERT=/etc/ssl/package-registry/cert.pem" + volumes: + - "../certs/package-registry:/etc/ssl/package-registry" + ports: + - "127.0.0.1:8080:8080" + - "127.0.0.1:9000:9000" + + package-registry_is_ready: + image: tianon/true + depends_on: + package-registry: + condition: service_healthy + + fleet-server: + image: "${ELASTIC_AGENT_IMAGE_REF}" + depends_on: + elasticsearch: + condition: service_healthy + kibana: + condition: service_healthy + healthcheck: + test: "curl --cacert /etc/ssl/elastic-agent/ca-cert.pem -f https://localhost:8220/api/status | grep -i healthy 2>&1 >/dev/null" + start_period: 60s + interval: 5s + hostname: docker-fleet-server + environment: + - "ELASTICSEARCH_HOST=https://elasticsearch:9200" + - "FLEET_SERVER_CERT=/etc/ssl/elastic-agent/cert.pem" + - "FLEET_SERVER_CERT_KEY=/etc/ssl/elastic-agent/key.pem" + - "FLEET_SERVER_ELASTICSEARCH_HOST=https://elasticsearch:9200" + - "FLEET_SERVER_ENABLE=1" + - "FLEET_SERVER_HOST=0.0.0.0" + - "FLEET_SERVER_SERVICE_TOKEN=AAEAAWVsYXN0aWMvZmxlZXQtc2VydmVyL2VsYXN0aWMtcGFja2FnZS1mbGVldC1zZXJ2ZXItdG9rZW46bmgtcFhoQzRRQ2FXbms2U0JySGlWQQ" + - "FLEET_URL={{ fact "fleet_url" }}" + - "KIBANA_FLEET_HOST={{ fact "kibana_host" }}" + - "KIBANA_FLEET_SERVICE_TOKEN=AAEAAWVsYXN0aWMvZmxlZXQtc2VydmVyL2VsYXN0aWMtcGFja2FnZS1mbGVldC1zZXJ2ZXItdG9rZW46bmgtcFhoQzRRQ2FXbms2U0JySGlWQQ" + - "KIBANA_FLEET_SETUP=1" + - "KIBANA_HOST={{ fact "kibana_host" }}" + volumes: + - "../certs/ca-cert.pem:/etc/ssl/certs/elastic-package.pem" + - "../certs/fleet-server:/etc/ssl/elastic-agent" + ports: + - "127.0.0.1:8220:8220" + + fleet-server_is_ready: + image: tianon/true + depends_on: + fleet-server: + condition: service_healthy + + elastic-agent: + image: "${ELASTIC_AGENT_IMAGE_REF}" + depends_on: + fleet-server: + condition: service_healthy + healthcheck: + test: "elastic-agent status" + timeout: 2s + start_period: 360s + retries: 180 + interval: 5s + hostname: docker-fleet-agent + env_file: "./elastic-agent.env" + volumes: + - "../certs/ca-cert.pem:/etc/ssl/certs/elastic-package.pem" + - type: bind + source: ../../../tmp/service_logs/ + target: /tmp/service_logs/ + # Mount service_logs under /run too as a testing workaround for the journald input (see elastic-package#1235). + - type: bind + source: ../../../tmp/service_logs/ + target: /run/service_logs/ + + elastic-agent_is_ready: + image: tianon/true + depends_on: + elastic-agent: + condition: service_healthy + + logstash: + depends_on: + elasticsearch: + condition: service_healthy + kibana: + condition: service_healthy + image: ${LOGSTASH_IMAGE_REF} + labels: + co.elastic.logs/module: logstash + user: root + volumes: + - certs:/usr/share/logstash/certs + - logstashdata01:/usr/share/logstash/data + - "./logstash_ingest_data/:/usr/share/logstash/ingest_data/" + - "./logstash.conf:/usr/share/logstash/pipeline/logstash.conf:ro" + environment: + - xpack.monitoring.enabled=false + - ELASTIC_USER=elastic + - ELASTIC_PASSWORD=changeme + - ELASTIC_HOSTS=https://127.0.0.1:9200 + + logstash_is_ready: + image: tianon/true + depends_on: + logstash: + condition: service_healthy diff --git a/internal/stack/_static/logstash.conf.tmpl b/internal/stack/_static/logstash.conf.tmpl new file mode 100644 index 0000000000..788aea9539 --- /dev/null +++ b/internal/stack/_static/logstash.conf.tmpl @@ -0,0 +1,32 @@ +input { + file { + #https://www.elastic.co/guide/en/logstash/current/plugins-inputs-file.html + #default is TAIL which assumes more data will come into the file. + #change to mode => "read" if the file is a compelte file. by default, the file will be removed once reading is complete -- backup your files if you need them. + mode => "tail" + path => "/usr/share/logstash/ingest_data/*" + } +} + + +filter { + elastic_integration { + hosts=> + username=> {{ fact "username" }} + password=> {{ fact "password" }} + cloud_id => "YOUR_CLOUD_ID_HERE" + cloud_auth => "YOUR_CLOUD_AUTH_HERE" + geoip_database_directory => "/etc/your/geoip-databases" + } +} + + +output { + elasticsearch { + index => "logstash-%{+YYYY.MM.dd}" + hosts=> "${ELASTIC_HOSTS}" + user=> {{ fact "username" }} + password=> {{ fact "password" }} + cacert=> "certs/ca/ca.crt" + } +} diff --git a/internal/stack/resources.go b/internal/stack/resources.go index 05701c0587..7009b8a4e6 100644 --- a/internal/stack/resources.go +++ b/internal/stack/resources.go @@ -122,7 +122,8 @@ func applyResources(profile *profile.Profile, stackVersion string) error { "username": elasticsearchUsername, "password": elasticsearchPassword, - "geoip_dir": profile.Config("stack.geoip_dir", "./ingest-geoip"), + "geoip_dir": profile.Config("stack.geoip_dir", "./ingest-geoip"), + "logstash_enabled": profile.Config("stack.logstash_enabled", "false"), }) os.MkdirAll(stackDir, 0755) From e3bc376321c1425538c987d63b37ffac8c7ae379 Mon Sep 17 00:00:00 2001 From: Bharat Pasupula Date: Mon, 18 Sep 2023 11:58:51 +0200 Subject: [PATCH 02/17] Add logstash to stack as an optional service --- internal/stack/_static/kibana.yml.tmpl | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/internal/stack/_static/kibana.yml.tmpl b/internal/stack/_static/kibana.yml.tmpl index 80b908c0f9..fdbd607082 100644 --- a/internal/stack/_static/kibana.yml.tmpl +++ b/internal/stack/_static/kibana.yml.tmpl @@ -78,4 +78,11 @@ xpack.fleet.outputs: ca_trusted_fingerprint: "${ELASTIC_PACKAGE_CA_TRUSTED_FINGERPRINT}" is_default: true is_default_monitoring: true + - id: fleet-logstash-output + name: default + type: elasticsearch + hosts: [ https://elasticsearch:9200 ] + ca_trusted_fingerprint: "${ELASTIC_PACKAGE_CA_TRUSTED_FINGERPRINT}" + is_default: true + is_default_monitoring: true {{ end }} From 4b2d608aa098b3fc66c45d50a7c431123baed82a Mon Sep 17 00:00:00 2001 From: Bharat Pasupula Date: Thu, 21 Sep 2023 08:20:29 +0200 Subject: [PATCH 03/17] Update Kibana Fleet Policy to have other output id --- internal/kibana/policies.go | 1 + .../docker-compose-stack-logstash.yml.tmpl | 43 ++++++++++--------- internal/stack/_static/kibana.yml.tmpl | 7 --- internal/stack/config.go | 2 + internal/stack/resources.go | 2 +- 5 files changed, 27 insertions(+), 28 deletions(-) diff --git a/internal/kibana/policies.go b/internal/kibana/policies.go index 8ed3c37029..8e48019c02 100644 --- a/internal/kibana/policies.go +++ b/internal/kibana/policies.go @@ -21,6 +21,7 @@ type Policy struct { Revision int `json:"revision,omitempty"` MonitoringEnabled []string `json:"monitoring_enabled,omitempty"` MonitoringOutputID string `json:"monitoring_output_id,omitempty"` + DataOutputID string `json:"data_output_id,omitempty"` } // CreatePolicy persists the given Policy in Fleet. diff --git a/internal/stack/_static/docker-compose-stack-logstash.yml.tmpl b/internal/stack/_static/docker-compose-stack-logstash.yml.tmpl index 0ae3ef9dbd..096d01486e 100644 --- a/internal/stack/_static/docker-compose-stack-logstash.yml.tmpl +++ b/internal/stack/_static/docker-compose-stack-logstash.yml.tmpl @@ -148,26 +148,29 @@ services: elastic-agent: condition: service_healthy - logstash: - depends_on: - elasticsearch: - condition: service_healthy - kibana: - condition: service_healthy - image: ${LOGSTASH_IMAGE_REF} - labels: - co.elastic.logs/module: logstash - user: root - volumes: - - certs:/usr/share/logstash/certs - - logstashdata01:/usr/share/logstash/data - - "./logstash_ingest_data/:/usr/share/logstash/ingest_data/" - - "./logstash.conf:/usr/share/logstash/pipeline/logstash.conf:ro" - environment: - - xpack.monitoring.enabled=false - - ELASTIC_USER=elastic - - ELASTIC_PASSWORD=changeme - - ELASTIC_HOSTS=https://127.0.0.1:9200 + logstash: + depends_on: + elasticsearch: + condition: service_healthy + kibana: + condition: service_healthy + image: ${LOGSTASH_IMAGE_REF} + labels: + co.elastic.logs/module: logstash + user: root + volumes: + - "./logstash_ingest_data/:/usr/share/logstash/ingest_data/" + - "./logstash.conf:/usr/share/logstash/pipeline/logstash.conf:ro" + ports: + - "5000:5000/tcp" + - "5000:5000/udp" + - "127.0.0.1:5044:5044" + - "127.0.0.1:9600:9600" + environment: + - xpack.monitoring.enabled=false + - ELASTIC_USER=elastic + - ELASTIC_PASSWORD=changeme + - ELASTIC_HOSTS=https://127.0.0.1:9200 logstash_is_ready: image: tianon/true diff --git a/internal/stack/_static/kibana.yml.tmpl b/internal/stack/_static/kibana.yml.tmpl index fdbd607082..80b908c0f9 100644 --- a/internal/stack/_static/kibana.yml.tmpl +++ b/internal/stack/_static/kibana.yml.tmpl @@ -78,11 +78,4 @@ xpack.fleet.outputs: ca_trusted_fingerprint: "${ELASTIC_PACKAGE_CA_TRUSTED_FINGERPRINT}" is_default: true is_default_monitoring: true - - id: fleet-logstash-output - name: default - type: elasticsearch - hosts: [ https://elasticsearch:9200 ] - ca_trusted_fingerprint: "${ELASTIC_PACKAGE_CA_TRUSTED_FINGERPRINT}" - is_default: true - is_default_monitoring: true {{ end }} diff --git a/internal/stack/config.go b/internal/stack/config.go index 01b0cfadf1..8b8aca63cc 100644 --- a/internal/stack/config.go +++ b/internal/stack/config.go @@ -25,6 +25,7 @@ type Config struct { ElasticsearchPassword string `json:"elasticsearch_password,omitempty"` KibanaHost string `json:"kibana_host,omitempty"` CACertFile string `json:"ca_cert_file,omitempty"` + LogstashHost string `json:"logstash_host,omitempty"` } func configPath(profile *profile.Profile) string { @@ -41,6 +42,7 @@ func defaultConfig(profile *profile.Profile) Config { ElasticsearchPassword: elasticsearchPassword, KibanaHost: "https://127.0.0.1:5601", CACertFile: profile.Path(CACertificateFile), + LogstashHost: "https://127.0.0.1:5044", } } diff --git a/internal/stack/resources.go b/internal/stack/resources.go index 7009b8a4e6..f92c9496af 100644 --- a/internal/stack/resources.go +++ b/internal/stack/resources.go @@ -62,7 +62,7 @@ var ( }, &resource.File{ Path: SnapshotFile, - Content: staticSource.Template("_static/docker-compose-stack.yml.tmpl"), + Content: staticSource.Template("_static/docker-compose-stack-logstash.yml.tmpl"), }, &resource.File{ Path: ElasticsearchConfigFile, From 93bdb7ab3326fe46a59f0d3ac7ce8136f8e52a46 Mon Sep 17 00:00:00 2001 From: Bharat Pasupula Date: Fri, 22 Sep 2023 11:26:47 +0200 Subject: [PATCH 04/17] Add logstash output in Fleet --- .../docker-compose-stack-logstash.yml.tmpl | 179 ------------------ .../_static/docker-compose-stack.yml.tmpl | 27 +++ internal/stack/_static/kibana.yml.tmpl | 9 + internal/stack/_static/logstash.conf.tmpl | 29 +-- internal/stack/resources.go | 9 +- 5 files changed, 53 insertions(+), 200 deletions(-) delete mode 100644 internal/stack/_static/docker-compose-stack-logstash.yml.tmpl diff --git a/internal/stack/_static/docker-compose-stack-logstash.yml.tmpl b/internal/stack/_static/docker-compose-stack-logstash.yml.tmpl deleted file mode 100644 index 096d01486e..0000000000 --- a/internal/stack/_static/docker-compose-stack-logstash.yml.tmpl +++ /dev/null @@ -1,179 +0,0 @@ -{{ $username := fact "username" }} -{{ $password := fact "password" }} -version: '2.3' -services: - elasticsearch: - image: "${ELASTICSEARCH_IMAGE_REF}" - healthcheck: - test: "curl -s --cacert /usr/share/elasticsearch/config/certs/ca-cert.pem -f -u {{ $username }}:{{ $password }} https://127.0.0.1:9200/_cat/health | cut -f4 -d' ' | grep -E '(green|yellow)'" - start_period: 300s - interval: 5s - environment: - - "ES_JAVA_OPTS=-Xms1g -Xmx1g" - - "ELASTIC_PASSWORD={{ $password }}" - volumes: - - "./elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml" - - "../certs/elasticsearch:/usr/share/elasticsearch/config/certs" - - "{{ fact "geoip_dir" }}:/usr/share/elasticsearch/config/ingest-geoip" - - "./service_tokens:/usr/share/elasticsearch/config/service_tokens" - ports: - - "127.0.0.1:9200:9200" - - elasticsearch_is_ready: - image: tianon/true - depends_on: - elasticsearch: - condition: service_healthy - - kibana: - image: "${KIBANA_IMAGE_REF}" - depends_on: - elasticsearch: - condition: service_healthy - package-registry: - condition: service_healthy - healthcheck: - test: "sh /usr/share/kibana/healthcheck.sh" - start_period: 600s - interval: 5s - env_file: - - "../certs/ca.env" - environment: - # Is there a better way to add certificates to Kibana/Fleet? - - "NODE_EXTRA_CA_CERTS=/usr/share/kibana/config/certs/ca-cert.pem" - volumes: - - "./kibana.yml:/usr/share/kibana/config/kibana.yml" - - "../certs/kibana:/usr/share/kibana/config/certs" - - "./kibana_healthcheck.sh:/usr/share/kibana/healthcheck.sh" - ports: - - "127.0.0.1:5601:5601" - - kibana_is_ready: - image: tianon/true - depends_on: - kibana: - condition: service_healthy - - package-registry: - build: - context: ../../../ - dockerfile: "./profiles/${PROFILE_NAME}/stack/Dockerfile.package-registry" - args: - PROFILE: "${PROFILE_NAME}" - healthcheck: - test: ["CMD", "curl", "--cacert", "/etc/ssl/package-registry/ca-cert.pem", "-f", "https://localhost:8080"] - start_period: 300s - interval: 5s - environment: - - "EPR_LOG_LEVEL=debug" - - "EPR_ADDRESS=0.0.0.0:8080" - - "EPR_METRICS_ADDRESS=0.0.0.0:9000" - - "EPR_TLS_KEY=/etc/ssl/package-registry/key.pem" - - "EPR_TLS_CERT=/etc/ssl/package-registry/cert.pem" - volumes: - - "../certs/package-registry:/etc/ssl/package-registry" - ports: - - "127.0.0.1:8080:8080" - - "127.0.0.1:9000:9000" - - package-registry_is_ready: - image: tianon/true - depends_on: - package-registry: - condition: service_healthy - - fleet-server: - image: "${ELASTIC_AGENT_IMAGE_REF}" - depends_on: - elasticsearch: - condition: service_healthy - kibana: - condition: service_healthy - healthcheck: - test: "curl --cacert /etc/ssl/elastic-agent/ca-cert.pem -f https://localhost:8220/api/status | grep -i healthy 2>&1 >/dev/null" - start_period: 60s - interval: 5s - hostname: docker-fleet-server - environment: - - "ELASTICSEARCH_HOST=https://elasticsearch:9200" - - "FLEET_SERVER_CERT=/etc/ssl/elastic-agent/cert.pem" - - "FLEET_SERVER_CERT_KEY=/etc/ssl/elastic-agent/key.pem" - - "FLEET_SERVER_ELASTICSEARCH_HOST=https://elasticsearch:9200" - - "FLEET_SERVER_ENABLE=1" - - "FLEET_SERVER_HOST=0.0.0.0" - - "FLEET_SERVER_SERVICE_TOKEN=AAEAAWVsYXN0aWMvZmxlZXQtc2VydmVyL2VsYXN0aWMtcGFja2FnZS1mbGVldC1zZXJ2ZXItdG9rZW46bmgtcFhoQzRRQ2FXbms2U0JySGlWQQ" - - "FLEET_URL={{ fact "fleet_url" }}" - - "KIBANA_FLEET_HOST={{ fact "kibana_host" }}" - - "KIBANA_FLEET_SERVICE_TOKEN=AAEAAWVsYXN0aWMvZmxlZXQtc2VydmVyL2VsYXN0aWMtcGFja2FnZS1mbGVldC1zZXJ2ZXItdG9rZW46bmgtcFhoQzRRQ2FXbms2U0JySGlWQQ" - - "KIBANA_FLEET_SETUP=1" - - "KIBANA_HOST={{ fact "kibana_host" }}" - volumes: - - "../certs/ca-cert.pem:/etc/ssl/certs/elastic-package.pem" - - "../certs/fleet-server:/etc/ssl/elastic-agent" - ports: - - "127.0.0.1:8220:8220" - - fleet-server_is_ready: - image: tianon/true - depends_on: - fleet-server: - condition: service_healthy - - elastic-agent: - image: "${ELASTIC_AGENT_IMAGE_REF}" - depends_on: - fleet-server: - condition: service_healthy - healthcheck: - test: "elastic-agent status" - timeout: 2s - start_period: 360s - retries: 180 - interval: 5s - hostname: docker-fleet-agent - env_file: "./elastic-agent.env" - volumes: - - "../certs/ca-cert.pem:/etc/ssl/certs/elastic-package.pem" - - type: bind - source: ../../../tmp/service_logs/ - target: /tmp/service_logs/ - # Mount service_logs under /run too as a testing workaround for the journald input (see elastic-package#1235). - - type: bind - source: ../../../tmp/service_logs/ - target: /run/service_logs/ - - elastic-agent_is_ready: - image: tianon/true - depends_on: - elastic-agent: - condition: service_healthy - - logstash: - depends_on: - elasticsearch: - condition: service_healthy - kibana: - condition: service_healthy - image: ${LOGSTASH_IMAGE_REF} - labels: - co.elastic.logs/module: logstash - user: root - volumes: - - "./logstash_ingest_data/:/usr/share/logstash/ingest_data/" - - "./logstash.conf:/usr/share/logstash/pipeline/logstash.conf:ro" - ports: - - "5000:5000/tcp" - - "5000:5000/udp" - - "127.0.0.1:5044:5044" - - "127.0.0.1:9600:9600" - environment: - - xpack.monitoring.enabled=false - - ELASTIC_USER=elastic - - ELASTIC_PASSWORD=changeme - - ELASTIC_HOSTS=https://127.0.0.1:9200 - - logstash_is_ready: - image: tianon/true - depends_on: - logstash: - condition: service_healthy diff --git a/internal/stack/_static/docker-compose-stack.yml.tmpl b/internal/stack/_static/docker-compose-stack.yml.tmpl index d1033c19cc..e681f2f573 100644 --- a/internal/stack/_static/docker-compose-stack.yml.tmpl +++ b/internal/stack/_static/docker-compose-stack.yml.tmpl @@ -147,3 +147,30 @@ services: depends_on: elastic-agent: condition: service_healthy + +{{ $logstash_enabled := fact "logstash_enabled" }} +{{ if eq $logstash_enabled "true" }} + logstash: + depends_on: + elasticsearch: + condition: service_healthy + kibana: + condition: service_healthy + image: ${LOGSTASH_IMAGE_REF} + command: bash -c "logstash -f /etc/logstash/conf.d/logstash.conf && bin/logstash-plugin install logstash-filter-elastic_integration" + volumes: + - "./logstash.conf:/usr/share/logstash/pipeline/logstash.conf:ro" + ports: + - "127.0.0.1:9600:9600" + environment: + - xpack.monitoring.enabled=false + - ELASTIC_USER=elastic + - ELASTIC_PASSWORD=changeme + - ELASTIC_HOSTS=https://127.0.0.1:9200 + + logstash_is_ready: + image: tianon/true + depends_on: + logstash: + condition: service_healthy +{{ end }} diff --git a/internal/stack/_static/kibana.yml.tmpl b/internal/stack/_static/kibana.yml.tmpl index 80b908c0f9..f044e482f0 100644 --- a/internal/stack/_static/kibana.yml.tmpl +++ b/internal/stack/_static/kibana.yml.tmpl @@ -78,4 +78,13 @@ xpack.fleet.outputs: ca_trusted_fingerprint: "${ELASTIC_PACKAGE_CA_TRUSTED_FINGERPRINT}" is_default: true is_default_monitoring: true + + {{ $logstash_enabled := fact "logstash_enabled" }} + {{ if eq $logstash_enabled "true" }} + - id: fleet-logstash-output + name: logstash-output + type: logstash + hosts: [ 127.0.0.1:9600 ] + ca_trusted_fingerprint: "${ELASTIC_PACKAGE_CA_TRUSTED_FINGERPRINT}" + {{ end }} {{ end }} diff --git a/internal/stack/_static/logstash.conf.tmpl b/internal/stack/_static/logstash.conf.tmpl index 788aea9539..da304c12ea 100644 --- a/internal/stack/_static/logstash.conf.tmpl +++ b/internal/stack/_static/logstash.conf.tmpl @@ -1,32 +1,21 @@ input { - file { - #https://www.elastic.co/guide/en/logstash/current/plugins-inputs-file.html - #default is TAIL which assumes more data will come into the file. - #change to mode => "read" if the file is a compelte file. by default, the file will be removed once reading is complete -- backup your files if you need them. - mode => "tail" - path => "/usr/share/logstash/ingest_data/*" - } + elastic_agent { + port => 5044 + } } filter { elastic_integration { - hosts=> - username=> {{ fact "username" }} - password=> {{ fact "password" }} - cloud_id => "YOUR_CLOUD_ID_HERE" - cloud_auth => "YOUR_CLOUD_AUTH_HERE" - geoip_database_directory => "/etc/your/geoip-databases" + username => {{ fact "username" }} + password => {{ fact "password" }} } } output { - elasticsearch { - index => "logstash-%{+YYYY.MM.dd}" - hosts=> "${ELASTIC_HOSTS}" - user=> {{ fact "username" }} - password=> {{ fact "password" }} - cacert=> "certs/ca/ca.crt" - } + elasticsearch { + hosts => ["http://localhost:9200"] + data_stream => "true" + } } diff --git a/internal/stack/resources.go b/internal/stack/resources.go index f92c9496af..362b7356e1 100644 --- a/internal/stack/resources.go +++ b/internal/stack/resources.go @@ -32,6 +32,9 @@ const ( // KibanaConfigFile is the kibana config file. KibanaConfigFile = "kibana.yml" + // LogstashConfigFile is the logstash config file. + LogstashConfigFile = "logstash.conf" + // KibanaHealthcheckFile is the kibana healthcheck. KibanaHealthcheckFile = "kibana_healthcheck.sh" @@ -62,7 +65,7 @@ var ( }, &resource.File{ Path: SnapshotFile, - Content: staticSource.Template("_static/docker-compose-stack-logstash.yml.tmpl"), + Content: staticSource.Template("_static/docker-compose-stack.yml.tmpl"), }, &resource.File{ Path: ElasticsearchConfigFile, @@ -91,6 +94,10 @@ var ( Path: KibanaConfigFile, Content: staticSource.Template("_static/kibana.yml.tmpl"), }, + &resource.File{ + Path: LogstashConfigFile, + Content: staticSource.Template("_static/logstash.conf.tmpl"), + }, &resource.File{ Path: KibanaHealthcheckFile, Content: staticSource.Template("_static/kibana_healthcheck.sh.tmpl"), From 4721d8014d6987fe00943d1bcb63d4b171db5b62 Mon Sep 17 00:00:00 2001 From: Bharat Pasupula Date: Tue, 26 Sep 2023 09:05:13 +0200 Subject: [PATCH 05/17] Fix logstash certs in docker-compose --- .../stack/_static/docker-compose-stack.yml.tmpl | 9 ++++++++- internal/stack/_static/kibana.yml.tmpl | 1 - internal/stack/_static/logstash.conf.tmpl | 14 +++++++++++++- internal/stack/certs.go | 1 + internal/testrunner/runners/system/runner.go | 16 +++++++++++++--- 5 files changed, 35 insertions(+), 6 deletions(-) diff --git a/internal/stack/_static/docker-compose-stack.yml.tmpl b/internal/stack/_static/docker-compose-stack.yml.tmpl index e681f2f573..dbc2774652 100644 --- a/internal/stack/_static/docker-compose-stack.yml.tmpl +++ b/internal/stack/_static/docker-compose-stack.yml.tmpl @@ -157,8 +157,15 @@ services: kibana: condition: service_healthy image: ${LOGSTASH_IMAGE_REF} - command: bash -c "logstash -f /etc/logstash/conf.d/logstash.conf && bin/logstash-plugin install logstash-filter-elastic_integration" + healthcheck: + test: bin/logstash -t + interval: 60s + timeout: 50s + retries: 5 + command: bash -c "bin/logstash-plugin install logstash-filter-elastic_integration && logstash -f /usr/share/logstash/pipeline/logstash.conf" volumes: + - "../certs/logstash:/usr/share/logstash/config/certs" + - "../certs/elasticsearch/cert.pem:/usr/share/logstash/config/certs/elasticsearch.pem" - "./logstash.conf:/usr/share/logstash/pipeline/logstash.conf:ro" ports: - "127.0.0.1:9600:9600" diff --git a/internal/stack/_static/kibana.yml.tmpl b/internal/stack/_static/kibana.yml.tmpl index f044e482f0..51684a1184 100644 --- a/internal/stack/_static/kibana.yml.tmpl +++ b/internal/stack/_static/kibana.yml.tmpl @@ -85,6 +85,5 @@ xpack.fleet.outputs: name: logstash-output type: logstash hosts: [ 127.0.0.1:9600 ] - ca_trusted_fingerprint: "${ELASTIC_PACKAGE_CA_TRUSTED_FINGERPRINT}" {{ end }} {{ end }} diff --git a/internal/stack/_static/logstash.conf.tmpl b/internal/stack/_static/logstash.conf.tmpl index da304c12ea..c8cef9cc25 100644 --- a/internal/stack/_static/logstash.conf.tmpl +++ b/internal/stack/_static/logstash.conf.tmpl @@ -1,21 +1,33 @@ input { elastic_agent { port => 5044 + ssl_enabled => true + ssl_certificate_authorities => ["/usr/share/logstash/config/certs/ca-cert.pem"] + ssl_certificate => "/usr/share/logstash/config/certs/cert.pem" + ssl_key => "/usr/share/logstash/config/certs/key.pem" + ssl_client_authentication => "required" } } filter { elastic_integration { + hosts => ["https://elasticsearch:9200"] username => {{ fact "username" }} password => {{ fact "password" }} + ssl_enabled => true + ssl_verification_mode => "none" } } output { elasticsearch { - hosts => ["http://localhost:9200"] + hosts => ["https://elasticsearch:9200"] + user => {{ fact "username" }} + password => {{ fact "password" }} + ssl_enabled => true + ssl_certificate_authorities => "/usr/share/logstash/config/certs/elasticsearch.pem" data_stream => "true" } } diff --git a/internal/stack/certs.go b/internal/stack/certs.go index ac63774e6a..7416d6e072 100644 --- a/internal/stack/certs.go +++ b/internal/stack/certs.go @@ -23,6 +23,7 @@ var tlsServices = []string{ "kibana", "package-registry", "fleet-server", + "logstash", } var ( diff --git a/internal/testrunner/runners/system/runner.go b/internal/testrunner/runners/system/runner.go index a6cc8e316d..441d07129f 100644 --- a/internal/testrunner/runners/system/runner.go +++ b/internal/testrunner/runners/system/runner.go @@ -513,10 +513,20 @@ func (r *runner) runTest(config *testConfig, ctxt servicedeployer.ServiceContext // Configure package (single data stream) via Ingest Manager APIs. logger.Debug("creating test policy...") testTime := time.Now().Format("20060102T15:04:05Z") + + // Assign the data_output_id to the agent policy to configure the output to logstash or a default as elasticsearch + var elasticAgentDataOutputId string + if r.options.Profile.Config("stack.logstash_enabled", "false") == "true" { + elasticAgentDataOutputId = "fleet-logstash-output" + } else { + elasticAgentDataOutputId = "fleet-default-output" + } + p := kibana.Policy{ - Name: fmt.Sprintf("ep-test-system-%s-%s-%s", r.options.TestFolder.Package, r.options.TestFolder.DataStream, testTime), - Description: fmt.Sprintf("test policy created by elastic-package test system for data stream %s/%s", r.options.TestFolder.Package, r.options.TestFolder.DataStream), - Namespace: "ep", + Name: fmt.Sprintf("ep-test-system-%s-%s-%s", r.options.TestFolder.Package, r.options.TestFolder.DataStream, testTime), + Description: fmt.Sprintf("test policy created by elastic-package test system for data stream %s/%s", r.options.TestFolder.Package, r.options.TestFolder.DataStream), + Namespace: "ep", + DataOutputID: elasticAgentDataOutputId, } policy, err := r.options.KibanaClient.CreatePolicy(p) if err != nil { From bbc156b4fcd33136cef458ec66fc11f5b77fa256 Mon Sep 17 00:00:00 2001 From: Bharat Pasupula Date: Tue, 26 Sep 2023 11:29:02 +0200 Subject: [PATCH 06/17] Fix config for communication between logstash and agent --- internal/profile/config_test.go | 5 +++++ internal/stack/_static/docker-compose-stack.yml.tmpl | 2 +- internal/stack/_static/kibana.yml.tmpl | 2 +- internal/stack/_static/logstash.conf.tmpl | 3 +-- 4 files changed, 8 insertions(+), 4 deletions(-) diff --git a/internal/profile/config_test.go b/internal/profile/config_test.go index 2d6ee947da..5f7644d3d1 100644 --- a/internal/profile/config_test.go +++ b/internal/profile/config_test.go @@ -47,6 +47,11 @@ func TestLoadProfileConfig(t *testing.T) { expected: "false", found: true, }, + { + name: "stack.logstash_enabled", + expected: "true", + found: true, + }, { name: "not.present", found: false, diff --git a/internal/stack/_static/docker-compose-stack.yml.tmpl b/internal/stack/_static/docker-compose-stack.yml.tmpl index dbc2774652..7b4e72c10e 100644 --- a/internal/stack/_static/docker-compose-stack.yml.tmpl +++ b/internal/stack/_static/docker-compose-stack.yml.tmpl @@ -168,7 +168,7 @@ services: - "../certs/elasticsearch/cert.pem:/usr/share/logstash/config/certs/elasticsearch.pem" - "./logstash.conf:/usr/share/logstash/pipeline/logstash.conf:ro" ports: - - "127.0.0.1:9600:9600" + - "127.0.0.1:5044:5044" environment: - xpack.monitoring.enabled=false - ELASTIC_USER=elastic diff --git a/internal/stack/_static/kibana.yml.tmpl b/internal/stack/_static/kibana.yml.tmpl index 51684a1184..19fdb45e77 100644 --- a/internal/stack/_static/kibana.yml.tmpl +++ b/internal/stack/_static/kibana.yml.tmpl @@ -84,6 +84,6 @@ xpack.fleet.outputs: - id: fleet-logstash-output name: logstash-output type: logstash - hosts: [ 127.0.0.1:9600 ] + hosts: [ logstash:5044 ] {{ end }} {{ end }} diff --git a/internal/stack/_static/logstash.conf.tmpl b/internal/stack/_static/logstash.conf.tmpl index c8cef9cc25..f75abafea8 100644 --- a/internal/stack/_static/logstash.conf.tmpl +++ b/internal/stack/_static/logstash.conf.tmpl @@ -1,11 +1,10 @@ input { elastic_agent { port => 5044 - ssl_enabled => true + ssl_enabled => false ssl_certificate_authorities => ["/usr/share/logstash/config/certs/ca-cert.pem"] ssl_certificate => "/usr/share/logstash/config/certs/cert.pem" ssl_key => "/usr/share/logstash/config/certs/key.pem" - ssl_client_authentication => "required" } } From 6f4a80399e5e953251d0e99096bf0f3d396d2670 Mon Sep 17 00:00:00 2001 From: Bharat Pasupula Date: Tue, 26 Sep 2023 14:38:17 +0200 Subject: [PATCH 07/17] Add test package to run on CI --- Makefile | 3 + internal/testrunner/runners/system/runner.go | 4 +- scripts/test-check-packages-with-logstash.sh | 117 + .../ti_misp/_dev/build/build.yml | 3 + .../ti_misp/_dev/build/docs/README.md | 24 + .../_dev/deploy/docker/docker-compose.yml | 14 + .../_dev/deploy/docker/files/config.yml | 506 ++++ .../with-logstash/ti_misp/changelog.yml | 219 ++ .../pipeline/test-misp-attributes-ndjson.log | 26 + ...test-misp-attributes-ndjson.log-config.yml | 3 + ...t-misp-attributes-ndjson.log-expected.json | 2607 +++++++++++++++++ .../test/pipeline/test-misp-long-ndjson.log | 2 + .../test-misp-long-ndjson.log-config.yml | 2 + .../test-misp-long-ndjson.log-expected.json | 221 ++ .../test/pipeline/test-misp-sample-ndjson.log | 16 + .../test-misp-sample-ndjson.log-config.yml | 3 + .../test-misp-sample-ndjson.log-expected.json | 1222 ++++++++ .../_dev/test/system/test-default-config.yml | 13 + .../threat/agent/stream/httpjson.yml.hbs | 88 + .../elasticsearch/ingest_pipeline/default.yml | 466 +++ .../data_stream/threat/fields/agent.yml | 198 ++ .../data_stream/threat/fields/base-fields.yml | 28 + .../data_stream/threat/fields/beats.yml | 12 + .../ti_misp/data_stream/threat/fields/ecs.yml | 76 + .../data_stream/threat/fields/fields.yml | 383 +++ .../ti_misp/data_stream/threat/manifest.yml | 112 + .../data_stream/threat/sample_event.json | 106 + .../_dev/test/pipeline/test-common-config.yml | 3 + .../test/pipeline/test-misp-sample-ndjson.log | 12 + .../test-misp-sample-ndjson.log-expected.json | 767 +++++ .../_dev/test/system/test-default-config.yml | 13 + .../agent/stream/httpjson.yml.hbs | 80 + .../elasticsearch/ingest_pipeline/default.yml | 447 +++ .../threat_attributes/fields/agent.yml | 198 ++ .../threat_attributes/fields/base-fields.yml | 28 + .../threat_attributes/fields/beats.yml | 12 + .../threat_attributes/fields/ecs.yml | 78 + .../threat_attributes/fields/fields.yml | 277 ++ .../threat_attributes/manifest.yml | 112 + .../threat_attributes/sample_event.json | 87 + .../with-logstash/ti_misp/docs/README.md | 430 +++ .../with-logstash/ti_misp/img/misp.svg | 158 + ...-32d9c020-71ea-11ec-8197-5d53a5437877.json | 952 ++++++ ...-399bb8d0-71ec-11ec-8197-5d53a5437877.json | 694 +++++ ...-56ed8040-6c7d-11ec-9bce-f7a4dc94c294.json | 665 +++++ ...-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294.json | 14 + .../with-logstash/ti_misp/kibana/tags.yml | 4 + .../with-logstash/ti_misp/manifest.yml | 24 + 48 files changed, 11527 insertions(+), 2 deletions(-) create mode 100755 scripts/test-check-packages-with-logstash.sh create mode 100644 test/packages/with-logstash/ti_misp/_dev/build/build.yml create mode 100644 test/packages/with-logstash/ti_misp/_dev/build/docs/README.md create mode 100644 test/packages/with-logstash/ti_misp/_dev/deploy/docker/docker-compose.yml create mode 100644 test/packages/with-logstash/ti_misp/_dev/deploy/docker/files/config.yml create mode 100644 test/packages/with-logstash/ti_misp/changelog.yml create mode 100644 test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-attributes-ndjson.log create mode 100644 test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-attributes-ndjson.log-config.yml create mode 100644 test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-attributes-ndjson.log-expected.json create mode 100644 test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-long-ndjson.log create mode 100644 test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-long-ndjson.log-config.yml create mode 100644 test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-long-ndjson.log-expected.json create mode 100644 test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-sample-ndjson.log create mode 100644 test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-sample-ndjson.log-config.yml create mode 100644 test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-sample-ndjson.log-expected.json create mode 100644 test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/system/test-default-config.yml create mode 100644 test/packages/with-logstash/ti_misp/data_stream/threat/agent/stream/httpjson.yml.hbs create mode 100644 test/packages/with-logstash/ti_misp/data_stream/threat/elasticsearch/ingest_pipeline/default.yml create mode 100644 test/packages/with-logstash/ti_misp/data_stream/threat/fields/agent.yml create mode 100644 test/packages/with-logstash/ti_misp/data_stream/threat/fields/base-fields.yml create mode 100644 test/packages/with-logstash/ti_misp/data_stream/threat/fields/beats.yml create mode 100644 test/packages/with-logstash/ti_misp/data_stream/threat/fields/ecs.yml create mode 100644 test/packages/with-logstash/ti_misp/data_stream/threat/fields/fields.yml create mode 100644 test/packages/with-logstash/ti_misp/data_stream/threat/manifest.yml create mode 100644 test/packages/with-logstash/ti_misp/data_stream/threat/sample_event.json create mode 100644 test/packages/with-logstash/ti_misp/data_stream/threat_attributes/_dev/test/pipeline/test-common-config.yml create mode 100644 test/packages/with-logstash/ti_misp/data_stream/threat_attributes/_dev/test/pipeline/test-misp-sample-ndjson.log create mode 100644 test/packages/with-logstash/ti_misp/data_stream/threat_attributes/_dev/test/pipeline/test-misp-sample-ndjson.log-expected.json create mode 100644 test/packages/with-logstash/ti_misp/data_stream/threat_attributes/_dev/test/system/test-default-config.yml create mode 100644 test/packages/with-logstash/ti_misp/data_stream/threat_attributes/agent/stream/httpjson.yml.hbs create mode 100644 test/packages/with-logstash/ti_misp/data_stream/threat_attributes/elasticsearch/ingest_pipeline/default.yml create mode 100644 test/packages/with-logstash/ti_misp/data_stream/threat_attributes/fields/agent.yml create mode 100644 test/packages/with-logstash/ti_misp/data_stream/threat_attributes/fields/base-fields.yml create mode 100644 test/packages/with-logstash/ti_misp/data_stream/threat_attributes/fields/beats.yml create mode 100644 test/packages/with-logstash/ti_misp/data_stream/threat_attributes/fields/ecs.yml create mode 100644 test/packages/with-logstash/ti_misp/data_stream/threat_attributes/fields/fields.yml create mode 100644 test/packages/with-logstash/ti_misp/data_stream/threat_attributes/manifest.yml create mode 100644 test/packages/with-logstash/ti_misp/data_stream/threat_attributes/sample_event.json create mode 100644 test/packages/with-logstash/ti_misp/docs/README.md create mode 100644 test/packages/with-logstash/ti_misp/img/misp.svg create mode 100644 test/packages/with-logstash/ti_misp/kibana/dashboard/ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877.json create mode 100644 test/packages/with-logstash/ti_misp/kibana/dashboard/ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877.json create mode 100644 test/packages/with-logstash/ti_misp/kibana/dashboard/ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294.json create mode 100644 test/packages/with-logstash/ti_misp/kibana/tag/ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294.json create mode 100644 test/packages/with-logstash/ti_misp/kibana/tags.yml create mode 100644 test/packages/with-logstash/ti_misp/manifest.yml diff --git a/Makefile b/Makefile index 7f7fa31cf1..24771d01d1 100644 --- a/Makefile +++ b/Makefile @@ -81,6 +81,9 @@ test-check-packages-other: test-check-packages-false-positives: PACKAGE_TEST_TYPE=false_positives ./scripts/test-check-false-positives.sh +test-check-packages-false-positives: + PACKAGE_TEST_TYPE=with-logstash ./scripts/test-check-packages-with-logstash.sh + test-check-packages-benchmarks: PACKAGE_TEST_TYPE=benchmarks ./scripts/test-check-packages.sh diff --git a/internal/testrunner/runners/system/runner.go b/internal/testrunner/runners/system/runner.go index 441d07129f..2d99016f7e 100644 --- a/internal/testrunner/runners/system/runner.go +++ b/internal/testrunner/runners/system/runner.go @@ -514,9 +514,9 @@ func (r *runner) runTest(config *testConfig, ctxt servicedeployer.ServiceContext logger.Debug("creating test policy...") testTime := time.Now().Format("20060102T15:04:05Z") - // Assign the data_output_id to the agent policy to configure the output to logstash or a default as elasticsearch + // Assign the data_output_id to the agent policy to configure the output to logstash or a default as elasticsearch. The values are inferred from stack/_static/kibana.yml.tmpl var elasticAgentDataOutputId string - if r.options.Profile.Config("stack.logstash_enabled", "false") == "true" { + if strings.Compare(r.options.Profile.Config("stack.logstash_enabled", "false"), "true") == 0 { elasticAgentDataOutputId = "fleet-logstash-output" } else { elasticAgentDataOutputId = "fleet-default-output" diff --git a/scripts/test-check-packages-with-logstash.sh b/scripts/test-check-packages-with-logstash.sh new file mode 100755 index 0000000000..19b7ca93f2 --- /dev/null +++ b/scripts/test-check-packages-with-logstash.sh @@ -0,0 +1,117 @@ +#!/bin/bash + +set -euxo pipefail + +function cleanup() { + r=$? + + # Dump stack logs + elastic-package stack dump -v --output "build/elastic-stack-dump/check-${PACKAGE_UNDER_TEST:-${PACKAGE_TEST_TYPE:-*}}" + + # Delete the logstash profile + elastic-package profiles delete logstash -v + + # Take down the stack + elastic-package stack down -v + + # Clean used resources + for d in test/packages/${PACKAGE_TEST_TYPE:-with-logstash}/${PACKAGE_UNDER_TEST:-*}/; do + ( + cd $d + elastic-package clean -v + ) + done + + exit $r +} + +trap cleanup EXIT + +export ELASTIC_PACKAGE_LINKS_FILE_PATH="$(pwd)/scripts/links_table.yml" + +# Create a logstash profile and use it +elastic-package profiles create logstash -v +elastic-package profiles use logstash + +# Rename the config.yml.example to config.yml +mv ~/.elastic-package/profiles/logstash/config.yml.example ~/.elastic-package/profiles/logstash/config.yml -v + +# Add config to enable logstash +echo "stack.logstash_enabled: true" >> ~/.elastic-package/profiles/logstash/config.yml + +# Update the stack +elastic-package stack update -v + +# Boot up the stack +elastic-package stack up -d -v + +elastic-package stack status + +# Run package tests +for d in test/packages/${PACKAGE_TEST_TYPE:-with-logstash}/${PACKAGE_UNDER_TEST:-*}/; do + check_build_output $d + check_expected_errors $d +done + +function check_expected_errors() { + local package_root=$1 + local package_name=$(basename $1) + local expected_errors_file="${package_root%/}.expected_errors" + local result_tests="build/test-results/${package_name}_*.xml" + local results_no_spaces="build/test-results-no-spaces.xml" + + if [ ! -f ${expected_errors_file} ]; then + echo "No unexpected errors file in ${expected_errors_file}" + return + fi + + rm -f ${result_tests} + ( + cd $package_root + elastic-package test -v --report-format xUnit --report-output file --test-coverage --defer-cleanup 1s || true + ) + + cat ${result_tests} | tr -d '\n' > ${results_no_spaces} + + # check number of expected errors + local number_errors=$(cat ${result_tests} | grep "" | wc -l) + local expected_errors=$(cat ${expected_errors_file} | wc -l) + + if [ ${number_errors} -ne ${expected_errors} ]; then + echo "Error: There are unexpected errors in ${package_name}" + exit 1 + fi + + # check whether or not the expected errors exist in the xml files + while read -r line; do + cat ${results_no_spaces} | grep -E "${line}" + done < ${expected_errors_file} + + rm -f ${result_tests} + rm -f ${results_no_spaces} +} + +function check_build_output() { + local package_root=$1 + local expected_build_output="${package_root%/}.build_output" + local output_file="$PWD/build/elastic-package-output" + + if [ ! -f ${expected_build_output} ]; then + ( + cd $package_root + elastic-package build -v + ) + return + fi + + ( + cd $package_root + mkdir -p $(dirname $output_file) + elastic-package build 2>&1 | tee $output_file || true # Ignore errors here + ) + + diff -w -u $expected_build_output $output_file || ( + echo "Error: Build output has differences with expected output" + exit 1 + ) +} diff --git a/test/packages/with-logstash/ti_misp/_dev/build/build.yml b/test/packages/with-logstash/ti_misp/_dev/build/build.yml new file mode 100644 index 0000000000..c8eeec8cac --- /dev/null +++ b/test/packages/with-logstash/ti_misp/_dev/build/build.yml @@ -0,0 +1,3 @@ +dependencies: + ecs: + reference: git@v8.9.0 diff --git a/test/packages/with-logstash/ti_misp/_dev/build/docs/README.md b/test/packages/with-logstash/ti_misp/_dev/build/docs/README.md new file mode 100644 index 0000000000..6403590840 --- /dev/null +++ b/test/packages/with-logstash/ti_misp/_dev/build/docs/README.md @@ -0,0 +1,24 @@ +# MISP Integration + +The MISP integration uses the [REST API from the running MISP instance](https://www.circl.lu/doc/misp/automation/#automation-api) to retrieve indicators and Threat Intelligence. + +## Logs + +### Threat + +The MISP integration configuration allows to set the polling interval, how far back it +should look initially, and optionally any filters used to filter the results. + +The filters themselves are based on the [MISP API documentation](https://www.circl.lu/doc/misp/automation/#search) and should support all documented fields. + +{{fields "threat"}} + +{{event "threat"}} + +### Threat Attributes + +The MISP integration configuration allows to set the polling interval, how far back it should look initially, and optionally any filters used to filter the results. +This data stream uses the `/attributes/restSearch` API endpoint which returns more granular information regarding MISP attributes and additional information. + +{{fields "threat_attributes"}} + diff --git a/test/packages/with-logstash/ti_misp/_dev/deploy/docker/docker-compose.yml b/test/packages/with-logstash/ti_misp/_dev/deploy/docker/docker-compose.yml new file mode 100644 index 0000000000..c4312bb558 --- /dev/null +++ b/test/packages/with-logstash/ti_misp/_dev/deploy/docker/docker-compose.yml @@ -0,0 +1,14 @@ +version: "2.3" +services: + misp: + image: docker.elastic.co/observability/stream:v0.6.1 + ports: + - 8080 + volumes: + - ./files:/files:ro + environment: + PORT: 8080 + command: + - http-server + - --addr=:8080 + - --config=/files/config.yml diff --git a/test/packages/with-logstash/ti_misp/_dev/deploy/docker/files/config.yml b/test/packages/with-logstash/ti_misp/_dev/deploy/docker/files/config.yml new file mode 100644 index 0000000000..2a1726b067 --- /dev/null +++ b/test/packages/with-logstash/ti_misp/_dev/deploy/docker/files/config.yml @@ -0,0 +1,506 @@ +rules: + - path: /events/restSearch + methods: ["POST"] + request_headers: + Authorization: "test" + Content-Type: application/json + request_body: /^{"limit":"10","page":"1","returnFormat":"json","timestamp":"\d+"/ + responses: + - status_code: 200 + body: |- + { + "response": [ + { + "Event": { + "Attribute": [ + { + "Galaxy": [], + "ShadowAttribute": [], + "category": "Payload delivery", + "comment": "filename content for test event 3", + "deleted": false, + "disable_correlation": false, + "distribution": "5", + "event_id": "3633", + "first_seen": null, + "id": "266263", + "last_seen": null, + "object_id": "0", + "object_relation": null, + "sharing_group_id": "0", + "timestamp": "1621589229", + "to_ids": false, + "type": "filename", + "uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3", + "value": "thetestfile.txt" + } + ], + "EventReport": [], + "Galaxy": [], + "Object": [ + { + "Attribute": [ + { + "Galaxy": [], + "ShadowAttribute": [], + "category": "Payload delivery", + "comment": "", + "deleted": false, + "disable_correlation": false, + "distribution": "5", + "event_id": "3633", + "first_seen": null, + "id": "266265", + "last_seen": null, + "object_id": "18207", + "object_relation": "sha256", + "sharing_group_id": "0", + "timestamp": "1621589548", + "to_ids": true, + "type": "sha256", + "uuid": "657c5f2b-9d68-4ff7-a9ad-ab9e6a6c953e", + "value": "f33c27745f2bd87344be790465ef984a972fd539dc83bd4f61d4242c607ef1ee" + } + ], + "ObjectReference": [], + "comment": "File object for event 3", + "deleted": false, + "description": "File object describing a file with meta-information", + "distribution": "5", + "event_id": "3633", + "first_seen": null, + "id": "18207", + "last_seen": null, + "meta-category": "file", + "name": "file", + "sharing_group_id": "0", + "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", + "template_version": "22", + "timestamp": "1621589548", + "uuid": "42a88ad4-6834-46a9-a18b-aff9e078a4ea" + } + ], + "Org": { + "id": "1", + "local": true, + "name": "ORGNAME", + "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" + }, + "Orgc": { + "id": "1", + "local": true, + "name": "ORGNAME", + "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" + }, + "RelatedEvent": [ + { + "Event": { + "Org": { + "id": "1", + "name": "ORGNAME", + "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" + }, + "Orgc": { + "id": "1", + "name": "ORGNAME", + "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" + }, + "analysis": "0", + "date": "2021-05-21", + "distribution": "1", + "id": "3631", + "info": "Test event 1 just atrributes", + "org_id": "1", + "orgc_id": "1", + "published": false, + "threat_level_id": "1", + "timestamp": "1621588162", + "uuid": "8ca56ae9-3747-4172-93d2-808da1a4eaf3" + } + } + ], + "ShadowAttribute": [], + "analysis": "0", + "attribute_count": "6", + "date": "2021-05-21", + "disable_correlation": false, + "distribution": "1", + "event_creator_email": "admin@admin.test", + "extends_uuid": "", + "id": "3633", + "info": "Test event 3 objects and attributes", + "locked": false, + "org_id": "1", + "orgc_id": "1", + "proposal_email_lock": false, + "publish_timestamp": "0", + "published": false, + "sharing_group_id": "0", + "threat_level_id": "1", + "timestamp": "1621592532", + "uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3" + } + } + ] + } + - path: /events/restSearch + methods: ["POST"] + request_headers: + Authorization: "test" + Content-Type: application/json + request_body: /^{"limit":"10","page":"2","returnFormat":"json","timestamp":"\d+"/ + responses: + - status_code: 200 + body: |- + { + "response": [ + { + "Event": { + "Attribute": [ + { + "Galaxy": [], + "ShadowAttribute": [], + "category": "Network activity", + "comment": "Conext for domain type attribute event 2", + "deleted": false, + "disable_correlation": false, + "distribution": "5", + "event_id": "3632", + "first_seen": null, + "id": "266260", + "last_seen": null, + "object_id": "0", + "object_relation": null, + "sharing_group_id": "0", + "timestamp": "1621588744", + "to_ids": true, + "type": "domain", + "uuid": "a52a1b47-a580-4f33-96ba-939cf9146c9b", + "value": "baddom.madeup.local" + } + ], + "EventReport": [], + "Galaxy": [], + "Object": [], + "Org": { + "id": "1", + "local": true, + "name": "ORGNAME", + "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" + }, + "Orgc": { + "id": "1", + "local": true, + "name": "ORGNAME", + "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" + }, + "RelatedEvent": [ + { + "Event": { + "Org": { + "id": "1", + "name": "ORGNAME", + "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" + }, + "Orgc": { + "id": "2", + "name": "CIRCL", + "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" + }, + "analysis": "2", + "date": "2018-03-26", + "distribution": "3", + "id": "684", + "info": "OSINT - Forgot About Default Accounts? No Worries, GoScanSSH Didn’t", + "org_id": "1", + "orgc_id": "2", + "published": true, + "threat_level_id": "3", + "timestamp": "1523865236", + "uuid": "5acdb4d0-b534-4713-9612-4a1d950d210f" + } + } + ], + "ShadowAttribute": [], + "analysis": "0", + "attribute_count": "4", + "date": "2021-05-21", + "disable_correlation": false, + "distribution": "1", + "event_creator_email": "admin@admin.test", + "extends_uuid": "", + "id": "3632", + "info": "Test event 2 just more atrributes", + "locked": false, + "org_id": "1", + "orgc_id": "1", + "proposal_email_lock": false, + "publish_timestamp": "0", + "published": false, + "sharing_group_id": "0", + "threat_level_id": "2", + "timestamp": "1621588836", + "uuid": "efbca287-edb5-4ad7-b8e4-fe9da514a763" + } + }, + { + "Event": { + "id": "2", + "orgc_id": "2", + "org_id": "1", + "date": "2014-10-03", + "threat_level_id": "2", + "info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", + "published": true, + "uuid": "54323f2c-e50c-4268-896c-4867950d210b", + "attribute_count": "29", + "analysis": "2", + "timestamp": "1412579577", + "distribution": "3", + "proposal_email_lock": false, + "locked": false, + "publish_timestamp": "1610622316", + "sharing_group_id": "0", + "disable_correlation": false, + "extends_uuid": "", + "Org": { + "id": "1", + "name": "ORGNAME", + "uuid": "5877549f-ea76-4b91-91fb-c72ad682b4a5", + "local": true + }, + "Orgc": { + "id": "2", + "name": "CthulhuSPRL.be", + "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f", + "local": false + }, + "Attribute": [ + { + "id": "12394", + "type": "domain", + "category": "Network activity", + "to_ids": false, + "uuid": "572b4ab3-1af0-4d91-9cd5-07a1c0a8ab16", + "event_id": "22", + "distribution": "5", + "timestamp": "1462454963", + "comment": "", + "sharing_group_id": "0", + "deleted": false, + "disable_correlation": false, + "object_id": "0", + "object_relation": null, + "first_seen": null, + "last_seen": null, + "value": "whatsapp.com", + "Galaxy": [], + "ShadowAttribute": [] + } + ], + "ShadowAttribute": [], + "RelatedEvent": [], + "Galaxy": [], + "Object": [], + "EventReport": [], + "Tag": [ + { + "id": "1", + "name": "type:OSINT", + "colour": "#004646", + "exportable": true, + "user_id": "0", + "hide_tag": false, + "numerical_value": null, + "is_galaxy": false, + "is_custom_galaxy": false, + "local": 0 + }, + { + "id": "2", + "name": "tlp:green", + "colour": "#339900", + "exportable": true, + "user_id": "0", + "hide_tag": false, + "numerical_value": null, + "is_galaxy": false, + "is_custom_galaxy": false, + "local": 0 + } + ] + } + } + ] + } + - path: /events/restSearch + methods: ["POST"] + request_headers: + Authorization: "test" + Content-Type: application/json + request_body: /^{"limit":"10","page":"3","returnFormat":"json","timestamp":"\d+"/ + responses: + - status_code: 200 + body: |- + { + "response": [] + } + - path: /attributes/restSearch + methods: ["POST"] + request_headers: + Authorization: "test" + Content-Type: application/json + request_body: /^{"limit":"10","page":"1","returnFormat":"json","timestamp":"\d+"/ + responses: + - status_code: 200 + body: |- + { + "response": { + "Attribute": [ + { + "id": "1", + "event_id": "1", + "object_id": "0", + "object_relation": null, + "category": "External analysis", + "type": "link", + "to_ids": false, + "uuid": "542e4cbd-ee78-4a57-bfb8-1fda950d210b", + "timestamp": "1412320445", + "distribution": "5", + "sharing_group_id": "0", + "comment": "", + "deleted": false, + "disable_correlation": false, + "first_seen": null, + "last_seen": null, + "value": "http://labs.opendns.com/2014/10/02/opendns-and-bash/", + "Event": { + "org_id": "1", + "distribution": "3", + "id": "1", + "info": "OSINT ShellShock scanning IPs from OpenDNS", + "orgc_id": "2", + "uuid": "542e4c9c-cadc-4f8f-bb11-6d13950d210b" + } + }, + { + "id": "2", + "event_id": "1", + "object_id": "0", + "object_relation": null, + "category": "External analysis", + "type": "link", + "to_ids": false, + "uuid": "542e4cbe-d560-4e14-9157-1fda950d210b", + "timestamp": "1412320446", + "distribution": "5", + "sharing_group_id": "0", + "comment": "", + "deleted": false, + "disable_correlation": false, + "first_seen": null, + "last_seen": null, + "value": "https://gist.github.com/andrewsmhay/de1cdc63d04c2bbf8c12", + "Event": { + "org_id": "1", + "distribution": "3", + "id": "1", + "info": "OSINT ShellShock scanning IPs from OpenDNS", + "orgc_id": "2", + "uuid": "542e4c9c-cadc-4f8f-bb11-6d13950d210b" + } + }, + { + "id": "3", + "event_id": "1", + "object_id": "0", + "object_relation": null, + "category": "External analysis", + "type": "link", + "to_ids": false, + "uuid": "542e4cbe-12a4-4345-b0a4-1fda950d210b", + "timestamp": "1412320446", + "distribution": "5", + "sharing_group_id": "0", + "comment": "", + "deleted": false, + "disable_correlation": false, + "first_seen": null, + "last_seen": null, + "value": "https://gist.githubusercontent.com/andrewsmhay/de1cdc63d04c2bbf8c12/raw/f20402cf5a0c646c63c4521f60587703fe654443/iplist", + "Event": { + "org_id": "1", + "distribution": "3", + "id": "1", + "info": "OSINT ShellShock scanning IPs from OpenDNS", + "orgc_id": "2", + "uuid": "542e4c9c-cadc-4f8f-bb11-6d13950d210b" + } + }, + { + "id": "4", + "event_id": "1", + "object_id": "0", + "object_relation": null, + "category": "External analysis", + "type": "text", + "to_ids": false, + "uuid": "542e4ccc-b8fc-44af-959d-6ead950d210b", + "timestamp": "1412320460", + "distribution": "5", + "sharing_group_id": "0", + "comment": "", + "deleted": false, + "disable_correlation": false, + "first_seen": null, + "last_seen": null, + "value": "Shellshock", + "Event": { + "org_id": "1", + "distribution": "3", + "id": "1", + "info": "OSINT ShellShock scanning IPs from OpenDNS", + "orgc_id": "2", + "uuid": "542e4c9c-cadc-4f8f-bb11-6d13950d210b" + } + }, + { + "id": "5", + "event_id": "1", + "object_id": "0", + "object_relation": null, + "category": "External analysis", + "type": "comment", + "to_ids": false, + "uuid": "542e4ce7-6120-41c0-8793-e90e950d210b", + "timestamp": "1412320487", + "distribution": "5", + "sharing_group_id": "0", + "comment": "", + "deleted": false, + "disable_correlation": false, + "first_seen": null, + "last_seen": null, + "value": "Data encoded by David André", + "Event": { + "org_id": "1", + "distribution": "3", + "id": "1", + "info": "OSINT ShellShock scanning IPs from OpenDNS", + "orgc_id": "2", + "uuid": "542e4c9c-cadc-4f8f-bb11-6d13950d210b" + } + } + ] + } + } + - path: /attributes/restSearch + methods: ["POST"] + request_headers: + Authorization: "test" + Content-Type: application/json + request_body: /^{"limit":"10","page":"2","returnFormat":"json","timestamp":"\d+"/ + responses: + - status_code: 200 + body: "{\n \"response\": {\n \"Attribute\": []\n }\n} " diff --git a/test/packages/with-logstash/ti_misp/changelog.yml b/test/packages/with-logstash/ti_misp/changelog.yml new file mode 100644 index 0000000000..1fcea4408d --- /dev/null +++ b/test/packages/with-logstash/ti_misp/changelog.yml @@ -0,0 +1,219 @@ +# newer versions go on top +- version: "1.22.0" + changes: + - description: Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI. + type: enhancement + link: https://github.com/elastic/integrations/pull/7789 +- version: "1.21.0" + changes: + - description: Update package-spec to 2.10.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/7570 +- version: "1.20.0" + changes: + - description: Update package to ECS 8.9.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/7111 +- version: "1.19.0" + changes: + - description: Document duration units. + type: enhancement + link: https://github.com/elastic/integrations/pull/6992 +- version: "1.18.2" + changes: + - description: Remove confusing error message tag prefix. + type: bugfix + link: https://github.com/elastic/integrations/pull/7105 +- version: "1.18.1" + changes: + - description: Remove renaming the original `message` field to `event.original` + type: bugfix + link: https://github.com/elastic/integrations/pull/6794 +- version: "1.18.0" + changes: + - description: Retain email subjects in misp.attributes. + type: enhancement + link: https://github.com/elastic/integrations/pull/6794 +- version: "1.17.0" + changes: + - description: Document valid duration units. + type: enhancement + link: https://github.com/elastic/integrations/pull/6706 +- version: "1.16.2" + changes: + - description: Fix the fingerprint processor in the Attributes Pipeline. + type: bugfix + link: https://github.com/elastic/integrations/pull/6719 +- version: "1.16.1" + changes: + - description: Keep the same timestamp for later pages in a pagination sequence. + type: bugfix + link: https://github.com/elastic/integrations/pull/6649 +- version: "1.16.0" + changes: + - description: Ensure event.kind is correctly set for pipeline errors. + type: enhancement + link: https://github.com/elastic/integrations/pull/6633 +- version: "1.15.4" + changes: + - description: Fix parsing of threat event publish_timestamp. + type: bugfix + link: https://github.com/elastic/integrations/pull/6575 +- version: "1.15.3" + changes: + - description: Fix bug where the threat_attributes data stream would not stop paginating after an empty response. + type: bugfix + link: https://github.com/elastic/integrations/pull/6512 +- version: "1.15.2" + changes: + - description: Prevent duplicate requests for the first page while paginating. + type: bugfix + link: https://github.com/elastic/integrations/pull/6495 +- version: "1.15.1" + changes: + - description: Fix timestamp format sent in query. + type: bugfix + link: https://github.com/elastic/integrations/pull/6482 +- version: "1.15.0" + changes: + - description: Update package to ECS 8.8.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/6328 +- version: "1.14.1" + changes: + - description: Fix `tags` processing that was removing original tags if misp tags were present. + type: bugfix + link: https://github.com/elastic/integrations/pull/6218 + - description: Add missing `event.original` cleanup step for `threat_attributes` data stream. + type: bugfix + link: https://github.com/elastic/integrations/pull/6218 +- version: "1.14.0" + changes: + - description: Add a new flag to enable request tracing + type: enhancement + link: https://github.com/elastic/integrations/pull/6115 +- version: "1.13.1" + changes: + - description: Harmonise object fields in data streams. + type: bugfix + link: https://github.com/elastic/integrations/pull/5917 +- version: "1.13.0" + changes: + - description: Add toggle to enable request tracing. + type: bugfix + link: https://github.com/elastic/integrations/pull/5965 +- version: "1.12.1" + changes: + - description: Harmonise distribution fields to type long. + type: bugfix + link: https://github.com/elastic/integrations/pull/5908 +- version: "1.12.0" + changes: + - description: Add Attributes datastream + type: enhancement + link: https://github.com/elastic/integrations/pull/4136 +- version: "1.11.0" + changes: + - description: Update package to ECS 8.7.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/5765 +- version: "1.10.1" + changes: + - description: Drop empty event sets. + type: bugfix + link: https://github.com/elastic/integrations/pull/5390 +- version: "1.10.0" + changes: + - description: Honor `preserve_original_event` tag. + type: enhancement + link: https://github.com/elastic/integrations/pull/5190 +- version: "1.9.0" + changes: + - description: Update package to ECS 8.6.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/4576 +- version: "1.8.0" + changes: + - description: Update package to ECS 8.5.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/4285 +- version: "1.7.1" + changes: + - description: Remove duplicate field. + type: bugfix + link: https://github.com/elastic/integrations/issues/4327 +- version: "1.7.0" + changes: + - description: Update package to ECS 8.4.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/3923 +- version: "1.6.1" + changes: + - description: Fix proxy URL documentation rendering. + type: bugfix + link: https://github.com/elastic/integrations/pull/3881 +- version: "1.6.0" + changes: + - description: Update categories to include `threat_intel`. + type: enhancement + link: https://github.com/elastic/integrations/pull/3689 +- version: "1.5.0" + changes: + - description: Update package to ECS 8.3.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/3353 +- version: "1.4.1" + changes: + - description: update readme to include link to MISP documentation + type: enhancement + link: https://github.com/elastic/integrations/pull/3168 +- version: "1.4.0" + changes: + - description: Fix pagination looping forever + type: enhancement + link: https://github.com/elastic/integrations/pull/3446 +- version: "1.3.1" + changes: + - description: Update package descriptions + type: enhancement + link: https://github.com/elastic/integrations/pull/3398 +- version: "1.3.0" + changes: + - description: Update to ECS 8.2 + type: enhancement + link: https://github.com/elastic/integrations/pull/2781 +- version: "1.2.2" + changes: + - description: Add mapping for event.created + type: enhancement + link: https://github.com/elastic/integrations/pull/3042 +- version: "1.2.1" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "1.2.0" + changes: + - description: Update to ECS 8.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2448 +- version: "1.1.0" + changes: + - description: Adds dashboards and threat.feed ECS fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2485 +- version: "1.0.2" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 +- version: "1.0.1" + changes: + - description: Bump minimum version + type: enhancement + link: https://github.com/elastic/integrations/pull/2063 +- version: "1.0.0" + changes: + - description: Initial release + type: enhancement + link: https://github.com/elastic/integrations/pull/1946 diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-attributes-ndjson.log b/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-attributes-ndjson.log new file mode 100644 index 0000000000..db8957404b --- /dev/null +++ b/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-attributes-ndjson.log @@ -0,0 +1,26 @@ +{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Payload installation","comment":"Contextual comment for the file md5 attribute","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3631","first_seen":null,"id":"266258","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1621588162","to_ids":false,"type":"md5","uuid":"34c59b06-d35d-4808-919c-4b452f185c52","value":"70461da8b94c6ca5d2fda3260c5a8c3b"},"EventReport":[],"Galaxy":[],"Object":[],"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[{"Event":{"Org":{"id":"1","name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"analysis":"0","date":"2021-05-21","distribution":"1","id":"3633","info":"Test event 3 objects and attributes","org_id":"1","orgc_id":"1","published":false,"threat_level_id":"1","timestamp":"1621592532","uuid":"4edb20c7-8175-484d-bdcd-fce6872c1ef3"}}],"ShadowAttribute":[],"analysis":"0","attribute_count":"1","date":"2021-05-21","disable_correlation":false,"distribution":"1","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3631","info":"Test event 1 just atrributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1621588162","uuid":"8ca56ae9-3747-4172-93d2-808da1a4eaf3"}} +{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Artifacts dropped","comment":"Artefact dropped for test 2","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3632","first_seen":null,"id":"266259","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1621588675","to_ids":true,"type":"md5","uuid":"73102a1c-7432-47b7-9644-6f9d46b6887c","value":"60461da8b94c6ca5d2fda3260c5a8c3b"},"EventReport":[],"Galaxy":[],"Object":[],"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[{"Event":{"Org":{"id":"1","name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"2","name":"CIRCL","uuid":"55f6ea5e-2c60-40e5-964f-47a8950d210f"},"analysis":"2","date":"2018-03-26","distribution":"3","id":"684","info":"OSINT - Forgot About Default Accounts? No Worries, GoScanSSH Didn’t","org_id":"1","orgc_id":"2","published":true,"threat_level_id":"3","timestamp":"1523865236","uuid":"5acdb4d0-b534-4713-9612-4a1d950d210f"}}],"ShadowAttribute":[],"analysis":"0","attribute_count":"4","date":"2021-05-21","disable_correlation":false,"distribution":"1","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3632","info":"Test event 2 just more atrributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"2","timestamp":"1621588836","uuid":"efbca287-edb5-4ad7-b8e4-fe9da514a763"}} +{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Network activity","comment":"Conext for domain type attribute event 2","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3632","first_seen":null,"id":"266260","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1621588744","to_ids":true,"type":"domain","uuid":"a52a1b47-a580-4f33-96ba-939cf9146c9b","value":"baddom.madeup.local"},"EventReport":[],"Galaxy":[],"Object":[],"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[{"Event":{"Org":{"id":"1","name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"2","name":"CIRCL","uuid":"55f6ea5e-2c60-40e5-964f-47a8950d210f"},"analysis":"2","date":"2018-03-26","distribution":"3","id":"684","info":"OSINT - Forgot About Default Accounts? No Worries, GoScanSSH Didn’t","org_id":"1","orgc_id":"2","published":true,"threat_level_id":"3","timestamp":"1523865236","uuid":"5acdb4d0-b534-4713-9612-4a1d950d210f"}}],"ShadowAttribute":[],"analysis":"0","attribute_count":"4","date":"2021-05-21","disable_correlation":false,"distribution":"1","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3632","info":"Test event 2 just more atrributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"2","timestamp":"1621588836","uuid":"efbca287-edb5-4ad7-b8e4-fe9da514a763"}} +{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Network activity","comment":"Ip-src attribute context for event2","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3632","first_seen":null,"id":"266261","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1621588800","to_ids":false,"type":"ip-src","uuid":"3dbf224b-7c84-4c4b-9f95-80f28954bd10","value":"10.0.0.1"},"EventReport":[],"Galaxy":[],"Object":[],"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[{"Event":{"Org":{"id":"1","name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"2","name":"CIRCL","uuid":"55f6ea5e-2c60-40e5-964f-47a8950d210f"},"analysis":"2","date":"2018-03-26","distribution":"3","id":"684","info":"OSINT - Forgot About Default Accounts? No Worries, GoScanSSH Didn’t","org_id":"1","orgc_id":"2","published":true,"threat_level_id":"3","timestamp":"1523865236","uuid":"5acdb4d0-b534-4713-9612-4a1d950d210f"}}],"ShadowAttribute":[],"analysis":"0","attribute_count":"4","date":"2021-05-21","disable_correlation":false,"distribution":"1","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3632","info":"Test event 2 just more atrributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"2","timestamp":"1621588836","uuid":"efbca287-edb5-4ad7-b8e4-fe9da514a763"}} +{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Network activity","comment":"ip-dst context for event id 2","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3632","first_seen":null,"id":"266262","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1621588836","to_ids":true,"type":"ip-dst","uuid":"db4bfd36-7374-4f8c-9031-60e56d4bba30","value":"192.168.1.50"},"EventReport":[],"Galaxy":[],"Object":[],"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[{"Event":{"Org":{"id":"1","name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"2","name":"CIRCL","uuid":"55f6ea5e-2c60-40e5-964f-47a8950d210f"},"analysis":"2","date":"2018-03-26","distribution":"3","id":"684","info":"OSINT - Forgot About Default Accounts? No Worries, GoScanSSH Didn’t","org_id":"1","orgc_id":"2","published":true,"threat_level_id":"3","timestamp":"1523865236","uuid":"5acdb4d0-b534-4713-9612-4a1d950d210f"}}],"ShadowAttribute":[],"analysis":"0","attribute_count":"4","date":"2021-05-21","disable_correlation":false,"distribution":"1","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3632","info":"Test event 2 just more atrributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"2","timestamp":"1621588836","uuid":"efbca287-edb5-4ad7-b8e4-fe9da514a763"}} +{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Payload delivery","comment":"filename contect for test event 3","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3633","first_seen":null,"id":"266263","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1621589229","to_ids":false,"type":"filename","uuid":"3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3","value":"thetestfile.txt"},"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Other","comment":"","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3633","first_seen":null,"id":"266267","last_seen":null,"object_id":"18207","object_relation":"fullpath","sharing_group_id":"0","timestamp":"1621589548","to_ids":false,"type":"text","uuid":"ff97cc32-815e-4fc9-9d4b-cab9822027a6","value":"\\the\\fullpath\\to the file\\filenameofobject.txt"},"ObjectReference":[],"comment":"File object for event 3","deleted":false,"description":"File object describing a file with meta-information","distribution":"5","event_id":"3633","first_seen":null,"id":"18207","last_seen":null,"meta-category":"file","name":"file","sharing_group_id":"0","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"22","timestamp":"1621589548","uuid":"42a88ad4-6834-46a9-a18b-aff9e078a4ea"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[{"Event":{"Org":{"id":"1","name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"analysis":"0","date":"2021-05-21","distribution":"1","id":"3631","info":"Test event 1 just atrributes","org_id":"1","orgc_id":"1","published":false,"threat_level_id":"1","timestamp":"1621588162","uuid":"8ca56ae9-3747-4172-93d2-808da1a4eaf3"}}],"ShadowAttribute":[],"analysis":"0","attribute_count":"6","date":"2021-05-21","disable_correlation":false,"distribution":"1","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3633","info":"Test event 3 objects and attributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1621592532","uuid":"4edb20c7-8175-484d-bdcd-fce6872c1ef3"}} +{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Payload delivery","comment":"filename contect for test event 3","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3633","first_seen":null,"id":"266263","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1621589229","to_ids":false,"type":"filename","uuid":"3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3","value":"thetestfile.txt"},"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Other","comment":"","deleted":false,"disable_correlation":true,"distribution":"5","event_id":"3633","first_seen":null,"id":"266268","last_seen":null,"object_id":"18207","object_relation":"size-in-bytes","sharing_group_id":"0","timestamp":"1621589548","to_ids":false,"type":"size-in-bytes","uuid":"e378b4d9-43e1-4c64-bd4e-70fce2b4e581","value":"505050"},"ObjectReference":[],"comment":"File object for event 3","deleted":false,"description":"File object describing a file with meta-information","distribution":"5","event_id":"3633","first_seen":null,"id":"18207","last_seen":null,"meta-category":"file","name":"file","sharing_group_id":"0","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"22","timestamp":"1621589548","uuid":"42a88ad4-6834-46a9-a18b-aff9e078a4ea"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[{"Event":{"Org":{"id":"1","name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"analysis":"0","date":"2021-05-21","distribution":"1","id":"3631","info":"Test event 1 just atrributes","org_id":"1","orgc_id":"1","published":false,"threat_level_id":"1","timestamp":"1621588162","uuid":"8ca56ae9-3747-4172-93d2-808da1a4eaf3"}}],"ShadowAttribute":[],"analysis":"0","attribute_count":"6","date":"2021-05-21","disable_correlation":false,"distribution":"1","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3633","info":"Test event 3 objects and attributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1621592532","uuid":"4edb20c7-8175-484d-bdcd-fce6872c1ef3"}} +{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Payload delivery","comment":"filename contect for test event 3","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3633","first_seen":null,"id":"266263","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1621589229","to_ids":false,"type":"filename","uuid":"3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3","value":"thetestfile.txt"},"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Payload delivery","comment":"","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3633","first_seen":null,"id":"266264","last_seen":null,"object_id":"18207","object_relation":"md5","sharing_group_id":"0","timestamp":"1621589548","to_ids":true,"type":"md5","uuid":"787b3822-0bec-4278-b34a-5d649e7bce05","value":"70461da8b94c6ca5d2fda3260c5a8c3b"},"ObjectReference":[],"comment":"File object for event 3","deleted":false,"description":"File object describing a file with meta-information","distribution":"5","event_id":"3633","first_seen":null,"id":"18207","last_seen":null,"meta-category":"file","name":"file","sharing_group_id":"0","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"22","timestamp":"1621589548","uuid":"42a88ad4-6834-46a9-a18b-aff9e078a4ea"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[{"Event":{"Org":{"id":"1","name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"analysis":"0","date":"2021-05-21","distribution":"1","id":"3631","info":"Test event 1 just atrributes","org_id":"1","orgc_id":"1","published":false,"threat_level_id":"1","timestamp":"1621588162","uuid":"8ca56ae9-3747-4172-93d2-808da1a4eaf3"}}],"ShadowAttribute":[],"analysis":"0","attribute_count":"6","date":"2021-05-21","disable_correlation":false,"distribution":"1","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3633","info":"Test event 3 objects and attributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1621592532","uuid":"4edb20c7-8175-484d-bdcd-fce6872c1ef3"}} +{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Payload delivery","comment":"filename contect for test event 3","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3633","first_seen":null,"id":"266263","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1621589229","to_ids":false,"type":"filename","uuid":"3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3","value":"thetestfile.txt"},"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Payload delivery","comment":"","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3633","first_seen":null,"id":"266265","last_seen":null,"object_id":"18207","object_relation":"sha256","sharing_group_id":"0","timestamp":"1621589548","to_ids":true,"type":"sha256","uuid":"657c5f2b-9d68-4ff7-a9ad-ab9e6a6c953e","value":"f33c27745f2bd87344be790465ef984a972fd539dc83bd4f61d4242c607ef1ee"},"ObjectReference":[],"comment":"File object for event 3","deleted":false,"description":"File object describing a file with meta-information","distribution":"5","event_id":"3633","first_seen":null,"id":"18207","last_seen":null,"meta-category":"file","name":"file","sharing_group_id":"0","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"22","timestamp":"1621589548","uuid":"42a88ad4-6834-46a9-a18b-aff9e078a4ea"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[{"Event":{"Org":{"id":"1","name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"analysis":"0","date":"2021-05-21","distribution":"1","id":"3631","info":"Test event 1 just atrributes","org_id":"1","orgc_id":"1","published":false,"threat_level_id":"1","timestamp":"1621588162","uuid":"8ca56ae9-3747-4172-93d2-808da1a4eaf3"}}],"ShadowAttribute":[],"analysis":"0","attribute_count":"6","date":"2021-05-21","disable_correlation":false,"distribution":"1","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3633","info":"Test event 3 objects and attributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1621592532","uuid":"4edb20c7-8175-484d-bdcd-fce6872c1ef3"}} +{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Payload delivery","comment":"filename contect for test event 3","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3633","first_seen":null,"id":"266263","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1621589229","to_ids":false,"type":"filename","uuid":"3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3","value":"thetestfile.txt"},"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Payload delivery","comment":"","deleted":false,"disable_correlation":true,"distribution":"5","event_id":"3633","first_seen":null,"id":"266266","last_seen":null,"object_id":"18207","object_relation":"filename","sharing_group_id":"0","timestamp":"1621589548","to_ids":true,"type":"filename","uuid":"6648d129-9200-431b-9b41-263a84f7c9d2","value":"filenameofobject.txt"},"ObjectReference":[],"comment":"File object for event 3","deleted":false,"description":"File object describing a file with meta-information","distribution":"5","event_id":"3633","first_seen":null,"id":"18207","last_seen":null,"meta-category":"file","name":"file","sharing_group_id":"0","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"22","timestamp":"1621589548","uuid":"42a88ad4-6834-46a9-a18b-aff9e078a4ea"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[{"Event":{"Org":{"id":"1","name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"analysis":"0","date":"2021-05-21","distribution":"1","id":"3631","info":"Test event 1 just atrributes","org_id":"1","orgc_id":"1","published":false,"threat_level_id":"1","timestamp":"1621588162","uuid":"8ca56ae9-3747-4172-93d2-808da1a4eaf3"}}],"ShadowAttribute":[],"analysis":"0","attribute_count":"6","date":"2021-05-21","disable_correlation":false,"distribution":"1","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3633","info":"Test event 3 objects and attributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1621592532","uuid":"4edb20c7-8175-484d-bdcd-fce6872c1ef3"}} +{"Event":{"Attribute":[],"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Other","comment":"","deleted":false,"disable_correlation":true,"distribution":"5","event_id":"3634","first_seen":null,"id":"266269","last_seen":null,"object_id":"18208","object_relation":"text","sharing_group_id":"0","timestamp":"1621591770","to_ids":false,"type":"text","uuid":"25d2f181-26ae-4d6f-b4fd-85b9d1f82e67","value":"Free text in the file object"},"ObjectReference":[],"comment":"File object for test event 4 ","deleted":false,"description":"File object describing a file with meta-information","distribution":"5","event_id":"3634","first_seen":null,"id":"18208","last_seen":null,"meta-category":"file","name":"file","sharing_group_id":"0","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"22","timestamp":"1621591770","uuid":"190c762c-a389-4ecc-8f6e-68f92d42adef"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[],"ShadowAttribute":[],"analysis":"0","attribute_count":"3","date":"2021-05-21","disable_correlation":false,"distribution":"1","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3634","info":"Test event 4 with object","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"3","timestamp":"1621591770","uuid":"d98a8418-9f90-4b50-a623-6921ca5b356d"}} +{"Event":{"Attribute":[],"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Payload delivery","comment":"","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3634","first_seen":null,"id":"266270","last_seen":null,"object_id":"18208","object_relation":"sha256","sharing_group_id":"0","timestamp":"1621591770","to_ids":true,"type":"sha256","uuid":"4e579782-346b-44b3-b72c-1cae8d87cb25","value":"567caa7653723f8818ec9eb6f2e27f6d9d8c0aca0c96fc457659340e7bbdc666"},"ObjectReference":[],"comment":"File object for test event 4 ","deleted":false,"description":"File object describing a file with meta-information","distribution":"5","event_id":"3634","first_seen":null,"id":"18208","last_seen":null,"meta-category":"file","name":"file","sharing_group_id":"0","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"22","timestamp":"1621591770","uuid":"190c762c-a389-4ecc-8f6e-68f92d42adef"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[],"ShadowAttribute":[],"analysis":"0","attribute_count":"3","date":"2021-05-21","disable_correlation":false,"distribution":"1","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3634","info":"Test event 4 with object","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"3","timestamp":"1621591770","uuid":"d98a8418-9f90-4b50-a623-6921ca5b356d"}} +{"Event":{"Attribute":[],"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Payload delivery","comment":"","deleted":false,"disable_correlation":true,"distribution":"5","event_id":"3634","first_seen":null,"id":"266271","last_seen":null,"object_id":"18208","object_relation":"filename","sharing_group_id":"0","timestamp":"1621591770","to_ids":true,"type":"filename","uuid":"a40343b5-a480-4288-9b0c-7ae074a77140","value":"filenameinmispobject.txt"},"ObjectReference":[],"comment":"File object for test event 4 ","deleted":false,"description":"File object describing a file with meta-information","distribution":"5","event_id":"3634","first_seen":null,"id":"18208","last_seen":null,"meta-category":"file","name":"file","sharing_group_id":"0","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"22","timestamp":"1621591770","uuid":"190c762c-a389-4ecc-8f6e-68f92d42adef"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[],"ShadowAttribute":[],"analysis":"0","attribute_count":"3","date":"2021-05-21","disable_correlation":false,"distribution":"1","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3634","info":"Test event 4 with object","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"3","timestamp":"1621591770","uuid":"d98a8418-9f90-4b50-a623-6921ca5b356d"}} +{"Event":{"Attribute":[],"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Other","comment":"","deleted":false,"disable_correlation":true,"distribution":"5","event_id":"3635","first_seen":null,"id":"266272","last_seen":null,"object_id":"18209","object_relation":"text","sharing_group_id":"0","timestamp":"1621592379","to_ids":false,"type":"text","uuid":"188a6a15-5704-4e4f-acba-22c55ab08fe8","value":"Object 5 free text attribute in object"},"ObjectReference":[],"comment":"event 5 object comment","deleted":false,"description":"File object describing a file with meta-information","distribution":"5","event_id":"3635","first_seen":null,"id":"18209","last_seen":null,"meta-category":"file","name":"file","sharing_group_id":"0","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"22","timestamp":"1621592379","uuid":"a62cb6fb-fa1c-45ce-abb8-b46da23631d5"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[],"ShadowAttribute":[],"analysis":"0","attribute_count":"5","date":"2021-05-21","disable_correlation":false,"distribution":"1","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3635","info":"Test event 5 with an object","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1621592379","uuid":"8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e"}} +{"Event":{"Attribute":[],"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Other","comment":"","deleted":false,"disable_correlation":true,"distribution":"5","event_id":"3635","first_seen":null,"id":"266275","last_seen":null,"object_id":"18209","object_relation":"entropy","sharing_group_id":"0","timestamp":"1621592379","to_ids":false,"type":"float","uuid":"2400b103-4a33-4f92-ac04-a558b6c6e252","value":"0.53535445"},"ObjectReference":[],"comment":"event 5 object comment","deleted":false,"description":"File object describing a file with meta-information","distribution":"5","event_id":"3635","first_seen":null,"id":"18209","last_seen":null,"meta-category":"file","name":"file","sharing_group_id":"0","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"22","timestamp":"1621592379","uuid":"a62cb6fb-fa1c-45ce-abb8-b46da23631d5"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[],"ShadowAttribute":[],"analysis":"0","attribute_count":"5","date":"2021-05-21","disable_correlation":false,"distribution":"1","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3635","info":"Test event 5 with an object","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1621592379","uuid":"8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e"}} +{"Event":{"Attribute":[],"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Other","comment":"","deleted":false,"disable_correlation":true,"distribution":"5","event_id":"3635","first_seen":null,"id":"266276","last_seen":null,"object_id":"18209","object_relation":"size-in-bytes","sharing_group_id":"0","timestamp":"1621592379","to_ids":false,"type":"size-in-bytes","uuid":"e5ea3ec0-cdf4-4d3e-bd66-a7bf384fd3d7","value":"55555"},"ObjectReference":[],"comment":"event 5 object comment","deleted":false,"description":"File object describing a file with meta-information","distribution":"5","event_id":"3635","first_seen":null,"id":"18209","last_seen":null,"meta-category":"file","name":"file","sharing_group_id":"0","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"22","timestamp":"1621592379","uuid":"a62cb6fb-fa1c-45ce-abb8-b46da23631d5"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[],"ShadowAttribute":[],"analysis":"0","attribute_count":"5","date":"2021-05-21","disable_correlation":false,"distribution":"1","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3635","info":"Test event 5 with an object","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1621592379","uuid":"8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e"}} +{"Event":{"Attribute":[],"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Payload delivery","comment":"","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3635","first_seen":null,"id":"266273","last_seen":null,"object_id":"18209","object_relation":"sha256","sharing_group_id":"0","timestamp":"1621592379","to_ids":true,"type":"sha256","uuid":"803f10bd-9087-4169-8699-277579a92693","value":"567caa7653723f8818ec9eb6f2e27f6d9d8c0aca0c96fc457659340e7bbdc665"},"ObjectReference":[],"comment":"event 5 object comment","deleted":false,"description":"File object describing a file with meta-information","distribution":"5","event_id":"3635","first_seen":null,"id":"18209","last_seen":null,"meta-category":"file","name":"file","sharing_group_id":"0","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"22","timestamp":"1621592379","uuid":"a62cb6fb-fa1c-45ce-abb8-b46da23631d5"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[],"ShadowAttribute":[],"analysis":"0","attribute_count":"5","date":"2021-05-21","disable_correlation":false,"distribution":"1","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3635","info":"Test event 5 with an object","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1621592379","uuid":"8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e"}} +{"Event":{"Attribute":[],"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Payload delivery","comment":"","deleted":false,"disable_correlation":true,"distribution":"5","event_id":"3635","first_seen":null,"id":"266274","last_seen":null,"object_id":"18209","object_relation":"filename","sharing_group_id":"0","timestamp":"1621592379","to_ids":true,"type":"filename","uuid":"e5c7a9f0-c0e1-4024-9ab8-de8a1b403e4f","value":"object5.txt"},"ObjectReference":[],"comment":"event 5 object comment","deleted":false,"description":"File object describing a file with meta-information","distribution":"5","event_id":"3635","first_seen":null,"id":"18209","last_seen":null,"meta-category":"file","name":"file","sharing_group_id":"0","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"22","timestamp":"1621592379","uuid":"a62cb6fb-fa1c-45ce-abb8-b46da23631d5"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[],"ShadowAttribute":[],"analysis":"0","attribute_count":"5","date":"2021-05-21","disable_correlation":false,"distribution":"1","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3635","info":"Test event 5 with an object","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1621592379","uuid":"8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e"}} +{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Artifacts dropped","comment":"","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3636","first_seen":null,"id":"266277","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1622200249","to_ids":false,"type":"windows-service-name","uuid":"3bd56a61-77f0-4885-8d1c-8bd2e39b65fb","value":"badmojopipe"},"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Other","comment":"","deleted":false,"disable_correlation":true,"distribution":"5","event_id":"3636","first_seen":null,"id":"266278","last_seen":null,"object_id":"18210","object_relation":"text","sharing_group_id":"0","timestamp":"1622200348","to_ids":false,"type":"text","uuid":"955e34a5-a630-42c9-868d-6e3dcb575987","value":"Excutable create bad pipe"},"ObjectReference":[],"comment":"","deleted":false,"description":"File object describing a file with meta-information","distribution":"5","event_id":"3636","first_seen":null,"id":"18210","last_seen":null,"meta-category":"file","name":"file","sharing_group_id":"0","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"22","timestamp":"1622200348","uuid":"afe43d99-d8b6-47fa-8e7b-3d3ece2f8366"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[],"ShadowAttribute":[],"analysis":"0","attribute_count":"9","date":"2021-05-28","disable_correlation":false,"distribution":"0","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3636","info":"Test event 6 with multiple objects and multiple attributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1622200781","uuid":"81aea1d1-bb23-4bcd-9b0c-496e9ce028df"}} +{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Artifacts dropped","comment":"","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3636","first_seen":null,"id":"266277","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1622200249","to_ids":false,"type":"windows-service-name","uuid":"3bd56a61-77f0-4885-8d1c-8bd2e39b65fb","value":"badmojopipe"},"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Other","comment":"","deleted":false,"disable_correlation":true,"distribution":"5","event_id":"3636","first_seen":null,"id":"266281","last_seen":null,"object_id":"18211","object_relation":"size-in-bytes","sharing_group_id":"0","timestamp":"1622200780","to_ids":false,"type":"size-in-bytes","uuid":"2fa7721b-ad73-4914-b082-8d44233ced98","value":"3892"},"ObjectReference":[],"comment":"","deleted":false,"description":"Object describing a section of a Portable Executable","distribution":"5","event_id":"3636","first_seen":null,"id":"18211","last_seen":null,"meta-category":"file","name":"pe-section","sharing_group_id":"0","template_uuid":"198a17d2-a135-4b25-9a32-5aa4e632014a","template_version":"3","timestamp":"1622200780","uuid":"023be568-34d6-4df4-ae88-f4de0dbfcd9d"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[],"ShadowAttribute":[],"analysis":"0","attribute_count":"9","date":"2021-05-28","disable_correlation":false,"distribution":"0","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3636","info":"Test event 6 with multiple objects and multiple attributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1622200781","uuid":"81aea1d1-bb23-4bcd-9b0c-496e9ce028df"}} +{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Artifacts dropped","comment":"","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3636","first_seen":null,"id":"266277","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1622200249","to_ids":false,"type":"windows-service-name","uuid":"3bd56a61-77f0-4885-8d1c-8bd2e39b65fb","value":"badmojopipe"},"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Other","comment":"","deleted":false,"disable_correlation":true,"distribution":"5","event_id":"3636","first_seen":null,"id":"266283","last_seen":null,"object_id":"18211","object_relation":"name","sharing_group_id":"0","timestamp":"1622200780","to_ids":false,"type":"text","uuid":"d35c1ff8-a69c-482b-8fb0-1182988d9468","value":".data"},"ObjectReference":[],"comment":"","deleted":false,"description":"Object describing a section of a Portable Executable","distribution":"5","event_id":"3636","first_seen":null,"id":"18211","last_seen":null,"meta-category":"file","name":"pe-section","sharing_group_id":"0","template_uuid":"198a17d2-a135-4b25-9a32-5aa4e632014a","template_version":"3","timestamp":"1622200780","uuid":"023be568-34d6-4df4-ae88-f4de0dbfcd9d"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[],"ShadowAttribute":[],"analysis":"0","attribute_count":"9","date":"2021-05-28","disable_correlation":false,"distribution":"0","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3636","info":"Test event 6 with multiple objects and multiple attributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1622200781","uuid":"81aea1d1-bb23-4bcd-9b0c-496e9ce028df"}} +{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Artifacts dropped","comment":"","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3636","first_seen":null,"id":"266277","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1622200249","to_ids":false,"type":"windows-service-name","uuid":"3bd56a61-77f0-4885-8d1c-8bd2e39b65fb","value":"badmojopipe"},"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Other","comment":"","deleted":false,"disable_correlation":true,"distribution":"5","event_id":"3636","first_seen":null,"id":"266284","last_seen":null,"object_id":"18211","object_relation":"text","sharing_group_id":"0","timestamp":"1622200780","to_ids":false,"type":"text","uuid":"dc11971a-a676-4676-b24c-a45a8791e0b0","value":"Extracted zip archive data"},"ObjectReference":[],"comment":"","deleted":false,"description":"Object describing a section of a Portable Executable","distribution":"5","event_id":"3636","first_seen":null,"id":"18211","last_seen":null,"meta-category":"file","name":"pe-section","sharing_group_id":"0","template_uuid":"198a17d2-a135-4b25-9a32-5aa4e632014a","template_version":"3","timestamp":"1622200780","uuid":"023be568-34d6-4df4-ae88-f4de0dbfcd9d"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[],"ShadowAttribute":[],"analysis":"0","attribute_count":"9","date":"2021-05-28","disable_correlation":false,"distribution":"0","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3636","info":"Test event 6 with multiple objects and multiple attributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1622200781","uuid":"81aea1d1-bb23-4bcd-9b0c-496e9ce028df"}} +{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Artifacts dropped","comment":"","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3636","first_seen":null,"id":"266277","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1622200249","to_ids":false,"type":"windows-service-name","uuid":"3bd56a61-77f0-4885-8d1c-8bd2e39b65fb","value":"badmojopipe"},"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Other","comment":"","deleted":false,"disable_correlation":true,"distribution":"5","event_id":"3636","first_seen":null,"id":"266285","last_seen":null,"object_id":"18211","object_relation":"entropy","sharing_group_id":"0","timestamp":"1622200780","to_ids":false,"type":"float","uuid":"a85c0cbb-25a8-4bc9-b146-3cba1020e5bb","value":"7.93280431051"},"ObjectReference":[],"comment":"","deleted":false,"description":"Object describing a section of a Portable Executable","distribution":"5","event_id":"3636","first_seen":null,"id":"18211","last_seen":null,"meta-category":"file","name":"pe-section","sharing_group_id":"0","template_uuid":"198a17d2-a135-4b25-9a32-5aa4e632014a","template_version":"3","timestamp":"1622200780","uuid":"023be568-34d6-4df4-ae88-f4de0dbfcd9d"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[],"ShadowAttribute":[],"analysis":"0","attribute_count":"9","date":"2021-05-28","disable_correlation":false,"distribution":"0","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3636","info":"Test event 6 with multiple objects and multiple attributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1622200781","uuid":"81aea1d1-bb23-4bcd-9b0c-496e9ce028df"}} +{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Artifacts dropped","comment":"","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3636","first_seen":null,"id":"266277","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1622200249","to_ids":false,"type":"windows-service-name","uuid":"3bd56a61-77f0-4885-8d1c-8bd2e39b65fb","value":"badmojopipe"},"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Payload delivery","comment":"","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3636","first_seen":null,"id":"266279","last_seen":null,"object_id":"18210","object_relation":"md5","sharing_group_id":"0","timestamp":"1622200348","to_ids":true,"type":"md5","uuid":"1c97c043-5de2-41a1-b591-3237174cd290","value":"7392463caf95534d56460bc9f360adc1"},"ObjectReference":[],"comment":"","deleted":false,"description":"File object describing a file with meta-information","distribution":"5","event_id":"3636","first_seen":null,"id":"18210","last_seen":null,"meta-category":"file","name":"file","sharing_group_id":"0","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"22","timestamp":"1622200348","uuid":"afe43d99-d8b6-47fa-8e7b-3d3ece2f8366"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[],"ShadowAttribute":[],"analysis":"0","attribute_count":"9","date":"2021-05-28","disable_correlation":false,"distribution":"0","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3636","info":"Test event 6 with multiple objects and multiple attributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1622200781","uuid":"81aea1d1-bb23-4bcd-9b0c-496e9ce028df"}} +{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Artifacts dropped","comment":"","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3636","first_seen":null,"id":"266277","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1622200249","to_ids":false,"type":"windows-service-name","uuid":"3bd56a61-77f0-4885-8d1c-8bd2e39b65fb","value":"badmojopipe"},"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Payload delivery","comment":"","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3636","first_seen":null,"id":"266282","last_seen":null,"object_id":"18211","object_relation":"md5","sharing_group_id":"0","timestamp":"1622200780","to_ids":true,"type":"md5","uuid":"f3b8696e-5390-4383-ace2-6e06bfae497d","value":"7295463caf95534d56460bc9f360adc1"},"ObjectReference":[],"comment":"","deleted":false,"description":"Object describing a section of a Portable Executable","distribution":"5","event_id":"3636","first_seen":null,"id":"18211","last_seen":null,"meta-category":"file","name":"pe-section","sharing_group_id":"0","template_uuid":"198a17d2-a135-4b25-9a32-5aa4e632014a","template_version":"3","timestamp":"1622200780","uuid":"023be568-34d6-4df4-ae88-f4de0dbfcd9d"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[],"ShadowAttribute":[],"analysis":"0","attribute_count":"9","date":"2021-05-28","disable_correlation":false,"distribution":"0","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3636","info":"Test event 6 with multiple objects and multiple attributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1622200781","uuid":"81aea1d1-bb23-4bcd-9b0c-496e9ce028df"}} +{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Artifacts dropped","comment":"","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3636","first_seen":null,"id":"266277","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1622200249","to_ids":false,"type":"windows-service-name","uuid":"3bd56a61-77f0-4885-8d1c-8bd2e39b65fb","value":"badmojopipe"},"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Payload delivery","comment":"","deleted":false,"disable_correlation":true,"distribution":"5","event_id":"3636","first_seen":null,"id":"266280","last_seen":null,"object_id":"18210","object_relation":"filename","sharing_group_id":"0","timestamp":"1622200348","to_ids":true,"type":"filename","uuid":"2dfcb937-e6af-4b5d-ad50-f8eb975990f3","value":"badmojopipe.exe"},"ObjectReference":[],"comment":"","deleted":false,"description":"File object describing a file with meta-information","distribution":"5","event_id":"3636","first_seen":null,"id":"18210","last_seen":null,"meta-category":"file","name":"file","sharing_group_id":"0","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"22","timestamp":"1622200348","uuid":"afe43d99-d8b6-47fa-8e7b-3d3ece2f8366"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[],"ShadowAttribute":[],"analysis":"0","attribute_count":"9","date":"2021-05-28","disable_correlation":false,"distribution":"0","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3636","info":"Test event 6 with multiple objects and multiple attributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1622200781","uuid":"81aea1d1-bb23-4bcd-9b0c-496e9ce028df"}} diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-attributes-ndjson.log-config.yml b/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-attributes-ndjson.log-config.yml new file mode 100644 index 0000000000..4da2264165 --- /dev/null +++ b/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-attributes-ndjson.log-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_original_event diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-attributes-ndjson.log-expected.json b/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-attributes-ndjson.log-expected.json new file mode 100644 index 0000000000..ff85a3edc6 --- /dev/null +++ b/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-attributes-ndjson.log-expected.json @@ -0,0 +1,2607 @@ +{ + "expected": [ + { + "@timestamp": "2021-05-21T09:09:22.000Z", + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Payload installation\",\"comment\":\"Contextual comment for the file md5 attribute\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3631\",\"first_seen\":null,\"id\":\"266258\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1621588162\",\"to_ids\":false,\"type\":\"md5\",\"uuid\":\"34c59b06-d35d-4808-919c-4b452f185c52\",\"value\":\"70461da8b94c6ca5d2fda3260c5a8c3b\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":[],\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[{\"Event\":{\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"analysis\":\"0\",\"date\":\"2021-05-21\",\"distribution\":\"1\",\"id\":\"3633\",\"info\":\"Test event 3 objects and attributes\",\"org_id\":\"1\",\"orgc_id\":\"1\",\"published\":false,\"threat_level_id\":\"1\",\"timestamp\":\"1621592532\",\"uuid\":\"4edb20c7-8175-484d-bdcd-fce6872c1ef3\"}}],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"1\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3631\",\"info\":\"Test event 1 just atrributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1621588162\",\"uuid\":\"8ca56ae9-3747-4172-93d2-808da1a4eaf3\"}}", + "type": [ + "indicator" + ] + }, + "misp": { + "attribute": { + "category": "Payload installation", + "comment": "Contextual comment for the file md5 attribute", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "3631", + "id": "266258", + "object_id": "0", + "sharing_group_id": "0", + "timestamp": "2021-05-21T09:09:22.000Z", + "to_ids": false, + "type": "md5", + "uuid": "34c59b06-d35d-4808-919c-4b452f185c52" + }, + "event": { + "attribute_count": 1, + "date": "2021-05-21", + "disable_correlation": false, + "distribution": 1, + "extends_uuid": "", + "id": "3631", + "info": "Test event 1 just atrributes", + "locked": false, + "org_id": "1", + "orgc_id": "1", + "proposal_email_lock": false, + "publish_timestamp": "1970-01-01T00:00:00.000Z", + "published": false, + "sharing_group_id": "0", + "threat_level_id": 1, + "uuid": "8ca56ae9-3747-4172-93d2-808da1a4eaf3" + }, + "orgc": { + "id": "1", + "local": true, + "name": "ORGNAME", + "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" + } + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "file": { + "hash": { + "md5": "70461da8b94c6ca5d2fda3260c5a8c3b" + } + }, + "provider": "misp", + "scanner_stats": 0, + "type": "file" + } + }, + "user": { + "email": "admin@admin.test", + "roles": [ + "reporting_user" + ] + } + }, + { + "@timestamp": "2021-05-21T09:20:36.000Z", + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Artifacts dropped\",\"comment\":\"Artefact dropped for test 2\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3632\",\"first_seen\":null,\"id\":\"266259\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1621588675\",\"to_ids\":true,\"type\":\"md5\",\"uuid\":\"73102a1c-7432-47b7-9644-6f9d46b6887c\",\"value\":\"60461da8b94c6ca5d2fda3260c5a8c3b\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":[],\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[{\"Event\":{\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"2\",\"name\":\"CIRCL\",\"uuid\":\"55f6ea5e-2c60-40e5-964f-47a8950d210f\"},\"analysis\":\"2\",\"date\":\"2018-03-26\",\"distribution\":\"3\",\"id\":\"684\",\"info\":\"OSINT - Forgot About Default Accounts? No Worries, GoScanSSH Didn’t\",\"org_id\":\"1\",\"orgc_id\":\"2\",\"published\":true,\"threat_level_id\":\"3\",\"timestamp\":\"1523865236\",\"uuid\":\"5acdb4d0-b534-4713-9612-4a1d950d210f\"}}],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"4\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3632\",\"info\":\"Test event 2 just more atrributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"2\",\"timestamp\":\"1621588836\",\"uuid\":\"efbca287-edb5-4ad7-b8e4-fe9da514a763\"}}", + "type": [ + "indicator" + ] + }, + "misp": { + "attribute": { + "category": "Artifacts dropped", + "comment": "Artefact dropped for test 2", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "3632", + "id": "266259", + "object_id": "0", + "sharing_group_id": "0", + "timestamp": "2021-05-21T09:17:55.000Z", + "to_ids": true, + "type": "md5", + "uuid": "73102a1c-7432-47b7-9644-6f9d46b6887c" + }, + "event": { + "attribute_count": 4, + "date": "2021-05-21", + "disable_correlation": false, + "distribution": 1, + "extends_uuid": "", + "id": "3632", + "info": "Test event 2 just more atrributes", + "locked": false, + "org_id": "1", + "orgc_id": "1", + "proposal_email_lock": false, + "publish_timestamp": "1970-01-01T00:00:00.000Z", + "published": false, + "sharing_group_id": "0", + "threat_level_id": 2, + "uuid": "efbca287-edb5-4ad7-b8e4-fe9da514a763" + }, + "orgc": { + "id": "1", + "local": true, + "name": "ORGNAME", + "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" + } + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "file": { + "hash": { + "md5": "60461da8b94c6ca5d2fda3260c5a8c3b" + } + }, + "provider": "misp", + "scanner_stats": 0, + "type": "file" + } + }, + "user": { + "email": "admin@admin.test", + "roles": [ + "reporting_user" + ] + } + }, + { + "@timestamp": "2021-05-21T09:20:36.000Z", + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Network activity\",\"comment\":\"Conext for domain type attribute event 2\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3632\",\"first_seen\":null,\"id\":\"266260\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1621588744\",\"to_ids\":true,\"type\":\"domain\",\"uuid\":\"a52a1b47-a580-4f33-96ba-939cf9146c9b\",\"value\":\"baddom.madeup.local\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":[],\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[{\"Event\":{\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"2\",\"name\":\"CIRCL\",\"uuid\":\"55f6ea5e-2c60-40e5-964f-47a8950d210f\"},\"analysis\":\"2\",\"date\":\"2018-03-26\",\"distribution\":\"3\",\"id\":\"684\",\"info\":\"OSINT - Forgot About Default Accounts? No Worries, GoScanSSH Didn’t\",\"org_id\":\"1\",\"orgc_id\":\"2\",\"published\":true,\"threat_level_id\":\"3\",\"timestamp\":\"1523865236\",\"uuid\":\"5acdb4d0-b534-4713-9612-4a1d950d210f\"}}],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"4\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3632\",\"info\":\"Test event 2 just more atrributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"2\",\"timestamp\":\"1621588836\",\"uuid\":\"efbca287-edb5-4ad7-b8e4-fe9da514a763\"}}", + "type": [ + "indicator" + ] + }, + "misp": { + "attribute": { + "category": "Network activity", + "comment": "Conext for domain type attribute event 2", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "3632", + "id": "266260", + "object_id": "0", + "sharing_group_id": "0", + "timestamp": "2021-05-21T09:19:04.000Z", + "to_ids": true, + "type": "domain", + "uuid": "a52a1b47-a580-4f33-96ba-939cf9146c9b" + }, + "event": { + "attribute_count": 4, + "date": "2021-05-21", + "disable_correlation": false, + "distribution": 1, + "extends_uuid": "", + "id": "3632", + "info": "Test event 2 just more atrributes", + "locked": false, + "org_id": "1", + "orgc_id": "1", + "proposal_email_lock": false, + "publish_timestamp": "1970-01-01T00:00:00.000Z", + "published": false, + "sharing_group_id": "0", + "threat_level_id": 2, + "uuid": "efbca287-edb5-4ad7-b8e4-fe9da514a763" + }, + "orgc": { + "id": "1", + "local": true, + "name": "ORGNAME", + "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" + } + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "provider": "misp", + "scanner_stats": 0, + "type": "domain-name", + "url": { + "domain": "baddom.madeup.local" + } + } + }, + "user": { + "email": "admin@admin.test", + "roles": [ + "reporting_user" + ] + } + }, + { + "@timestamp": "2021-05-21T09:20:36.000Z", + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Network activity\",\"comment\":\"Ip-src attribute context for event2\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3632\",\"first_seen\":null,\"id\":\"266261\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1621588800\",\"to_ids\":false,\"type\":\"ip-src\",\"uuid\":\"3dbf224b-7c84-4c4b-9f95-80f28954bd10\",\"value\":\"10.0.0.1\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":[],\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[{\"Event\":{\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"2\",\"name\":\"CIRCL\",\"uuid\":\"55f6ea5e-2c60-40e5-964f-47a8950d210f\"},\"analysis\":\"2\",\"date\":\"2018-03-26\",\"distribution\":\"3\",\"id\":\"684\",\"info\":\"OSINT - Forgot About Default Accounts? No Worries, GoScanSSH Didn’t\",\"org_id\":\"1\",\"orgc_id\":\"2\",\"published\":true,\"threat_level_id\":\"3\",\"timestamp\":\"1523865236\",\"uuid\":\"5acdb4d0-b534-4713-9612-4a1d950d210f\"}}],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"4\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3632\",\"info\":\"Test event 2 just more atrributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"2\",\"timestamp\":\"1621588836\",\"uuid\":\"efbca287-edb5-4ad7-b8e4-fe9da514a763\"}}", + "type": [ + "indicator" + ] + }, + "misp": { + "attribute": { + "category": "Network activity", + "comment": "Ip-src attribute context for event2", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "3632", + "id": "266261", + "object_id": "0", + "sharing_group_id": "0", + "timestamp": "2021-05-21T09:20:00.000Z", + "to_ids": false, + "type": "ip-src", + "uuid": "3dbf224b-7c84-4c4b-9f95-80f28954bd10" + }, + "event": { + "attribute_count": 4, + "date": "2021-05-21", + "disable_correlation": false, + "distribution": 1, + "extends_uuid": "", + "id": "3632", + "info": "Test event 2 just more atrributes", + "locked": false, + "org_id": "1", + "orgc_id": "1", + "proposal_email_lock": false, + "publish_timestamp": "1970-01-01T00:00:00.000Z", + "published": false, + "sharing_group_id": "0", + "threat_level_id": 2, + "uuid": "efbca287-edb5-4ad7-b8e4-fe9da514a763" + }, + "orgc": { + "id": "1", + "local": true, + "name": "ORGNAME", + "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" + } + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "ip": "10.0.0.1", + "provider": "misp", + "scanner_stats": 0, + "type": "ipv4-addr" + } + }, + "user": { + "email": "admin@admin.test", + "roles": [ + "reporting_user" + ] + } + }, + { + "@timestamp": "2021-05-21T09:20:36.000Z", + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Network activity\",\"comment\":\"ip-dst context for event id 2\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3632\",\"first_seen\":null,\"id\":\"266262\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1621588836\",\"to_ids\":true,\"type\":\"ip-dst\",\"uuid\":\"db4bfd36-7374-4f8c-9031-60e56d4bba30\",\"value\":\"192.168.1.50\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":[],\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[{\"Event\":{\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"2\",\"name\":\"CIRCL\",\"uuid\":\"55f6ea5e-2c60-40e5-964f-47a8950d210f\"},\"analysis\":\"2\",\"date\":\"2018-03-26\",\"distribution\":\"3\",\"id\":\"684\",\"info\":\"OSINT - Forgot About Default Accounts? No Worries, GoScanSSH Didn’t\",\"org_id\":\"1\",\"orgc_id\":\"2\",\"published\":true,\"threat_level_id\":\"3\",\"timestamp\":\"1523865236\",\"uuid\":\"5acdb4d0-b534-4713-9612-4a1d950d210f\"}}],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"4\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3632\",\"info\":\"Test event 2 just more atrributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"2\",\"timestamp\":\"1621588836\",\"uuid\":\"efbca287-edb5-4ad7-b8e4-fe9da514a763\"}}", + "type": [ + "indicator" + ] + }, + "misp": { + "attribute": { + "category": "Network activity", + "comment": "ip-dst context for event id 2", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "3632", + "id": "266262", + "object_id": "0", + "sharing_group_id": "0", + "timestamp": "2021-05-21T09:20:36.000Z", + "to_ids": true, + "type": "ip-dst", + "uuid": "db4bfd36-7374-4f8c-9031-60e56d4bba30" + }, + "event": { + "attribute_count": 4, + "date": "2021-05-21", + "disable_correlation": false, + "distribution": 1, + "extends_uuid": "", + "id": "3632", + "info": "Test event 2 just more atrributes", + "locked": false, + "org_id": "1", + "orgc_id": "1", + "proposal_email_lock": false, + "publish_timestamp": "1970-01-01T00:00:00.000Z", + "published": false, + "sharing_group_id": "0", + "threat_level_id": 2, + "uuid": "efbca287-edb5-4ad7-b8e4-fe9da514a763" + }, + "orgc": { + "id": "1", + "local": true, + "name": "ORGNAME", + "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" + } + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "ip": "192.168.1.50", + "provider": "misp", + "scanner_stats": 0, + "type": "ipv4-addr" + } + }, + "user": { + "email": "admin@admin.test", + "roles": [ + "reporting_user" + ] + } + }, + { + "@timestamp": "2021-05-21T10:22:12.000Z", + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Payload delivery\",\"comment\":\"filename contect for test event 3\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3633\",\"first_seen\":null,\"id\":\"266263\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1621589229\",\"to_ids\":false,\"type\":\"filename\",\"uuid\":\"3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3\",\"value\":\"thetestfile.txt\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Other\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3633\",\"first_seen\":null,\"id\":\"266267\",\"last_seen\":null,\"object_id\":\"18207\",\"object_relation\":\"fullpath\",\"sharing_group_id\":\"0\",\"timestamp\":\"1621589548\",\"to_ids\":false,\"type\":\"text\",\"uuid\":\"ff97cc32-815e-4fc9-9d4b-cab9822027a6\",\"value\":\"\\\\the\\\\fullpath\\\\to the file\\\\filenameofobject.txt\"},\"ObjectReference\":[],\"comment\":\"File object for event 3\",\"deleted\":false,\"description\":\"File object describing a file with meta-information\",\"distribution\":\"5\",\"event_id\":\"3633\",\"first_seen\":null,\"id\":\"18207\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"file\",\"sharing_group_id\":\"0\",\"template_uuid\":\"688c46fb-5edb-40a3-8273-1af7923e2215\",\"template_version\":\"22\",\"timestamp\":\"1621589548\",\"uuid\":\"42a88ad4-6834-46a9-a18b-aff9e078a4ea\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[{\"Event\":{\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"analysis\":\"0\",\"date\":\"2021-05-21\",\"distribution\":\"1\",\"id\":\"3631\",\"info\":\"Test event 1 just atrributes\",\"org_id\":\"1\",\"orgc_id\":\"1\",\"published\":false,\"threat_level_id\":\"1\",\"timestamp\":\"1621588162\",\"uuid\":\"8ca56ae9-3747-4172-93d2-808da1a4eaf3\"}}],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"6\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3633\",\"info\":\"Test event 3 objects and attributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1621592532\",\"uuid\":\"4edb20c7-8175-484d-bdcd-fce6872c1ef3\"}}", + "type": [ + "indicator" + ] + }, + "misp": { + "attribute": { + "category": "Other", + "comment": "", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "3633", + "id": "266267", + "object_id": "18207", + "object_relation": "fullpath", + "sharing_group_id": "0", + "timestamp": "2021-05-21T09:32:28.000Z", + "to_ids": false, + "type": "text", + "uuid": "ff97cc32-815e-4fc9-9d4b-cab9822027a6", + "value": "\\the\\fullpath\\to the file\\filenameofobject.txt" + }, + "context": { + "attribute": { + "category": "Payload delivery", + "comment": "filename contect for test event 3", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "3633", + "id": "266263", + "object_id": "0", + "sharing_group_id": "0", + "timestamp": "2021-05-21T09:27:09.000Z", + "to_ids": false, + "type": "filename", + "uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3", + "value": "thetestfile.txt" + } + }, + "event": { + "attribute_count": 6, + "date": "2021-05-21", + "disable_correlation": false, + "distribution": 1, + "extends_uuid": "", + "id": "3633", + "info": "Test event 3 objects and attributes", + "locked": false, + "org_id": "1", + "orgc_id": "1", + "proposal_email_lock": false, + "publish_timestamp": "1970-01-01T00:00:00.000Z", + "published": false, + "sharing_group_id": "0", + "threat_level_id": 1, + "uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3" + }, + "object": { + "comment": "File object for event 3", + "deleted": false, + "description": "File object describing a file with meta-information", + "distribution": 5, + "event_id": "3633", + "id": "18207", + "meta_category": "file", + "name": "file", + "sharing_group_id": "0", + "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", + "template_version": "22", + "timestamp": "2021-05-21T09:32:28.000Z", + "uuid": "42a88ad4-6834-46a9-a18b-aff9e078a4ea" + }, + "orgc": { + "id": "1", + "local": true, + "name": "ORGNAME", + "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" + } + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "provider": "misp", + "scanner_stats": 0 + } + }, + "user": { + "email": "admin@admin.test", + "roles": [ + "reporting_user" + ] + } + }, + { + "@timestamp": "2021-05-21T10:22:12.000Z", + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Payload delivery\",\"comment\":\"filename contect for test event 3\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3633\",\"first_seen\":null,\"id\":\"266263\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1621589229\",\"to_ids\":false,\"type\":\"filename\",\"uuid\":\"3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3\",\"value\":\"thetestfile.txt\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Other\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":true,\"distribution\":\"5\",\"event_id\":\"3633\",\"first_seen\":null,\"id\":\"266268\",\"last_seen\":null,\"object_id\":\"18207\",\"object_relation\":\"size-in-bytes\",\"sharing_group_id\":\"0\",\"timestamp\":\"1621589548\",\"to_ids\":false,\"type\":\"size-in-bytes\",\"uuid\":\"e378b4d9-43e1-4c64-bd4e-70fce2b4e581\",\"value\":\"505050\"},\"ObjectReference\":[],\"comment\":\"File object for event 3\",\"deleted\":false,\"description\":\"File object describing a file with meta-information\",\"distribution\":\"5\",\"event_id\":\"3633\",\"first_seen\":null,\"id\":\"18207\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"file\",\"sharing_group_id\":\"0\",\"template_uuid\":\"688c46fb-5edb-40a3-8273-1af7923e2215\",\"template_version\":\"22\",\"timestamp\":\"1621589548\",\"uuid\":\"42a88ad4-6834-46a9-a18b-aff9e078a4ea\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[{\"Event\":{\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"analysis\":\"0\",\"date\":\"2021-05-21\",\"distribution\":\"1\",\"id\":\"3631\",\"info\":\"Test event 1 just atrributes\",\"org_id\":\"1\",\"orgc_id\":\"1\",\"published\":false,\"threat_level_id\":\"1\",\"timestamp\":\"1621588162\",\"uuid\":\"8ca56ae9-3747-4172-93d2-808da1a4eaf3\"}}],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"6\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3633\",\"info\":\"Test event 3 objects and attributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1621592532\",\"uuid\":\"4edb20c7-8175-484d-bdcd-fce6872c1ef3\"}}", + "type": [ + "indicator" + ] + }, + "misp": { + "attribute": { + "category": "Other", + "comment": "", + "deleted": false, + "disable_correlation": true, + "distribution": 5, + "event_id": "3633", + "id": "266268", + "object_id": "18207", + "object_relation": "size-in-bytes", + "sharing_group_id": "0", + "timestamp": "2021-05-21T09:32:28.000Z", + "to_ids": false, + "type": "size-in-bytes", + "uuid": "e378b4d9-43e1-4c64-bd4e-70fce2b4e581", + "value": "505050" + }, + "context": { + "attribute": { + "category": "Payload delivery", + "comment": "filename contect for test event 3", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "3633", + "id": "266263", + "object_id": "0", + "sharing_group_id": "0", + "timestamp": "2021-05-21T09:27:09.000Z", + "to_ids": false, + "type": "filename", + "uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3", + "value": "thetestfile.txt" + } + }, + "event": { + "attribute_count": 6, + "date": "2021-05-21", + "disable_correlation": false, + "distribution": 1, + "extends_uuid": "", + "id": "3633", + "info": "Test event 3 objects and attributes", + "locked": false, + "org_id": "1", + "orgc_id": "1", + "proposal_email_lock": false, + "publish_timestamp": "1970-01-01T00:00:00.000Z", + "published": false, + "sharing_group_id": "0", + "threat_level_id": 1, + "uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3" + }, + "object": { + "comment": "File object for event 3", + "deleted": false, + "description": "File object describing a file with meta-information", + "distribution": 5, + "event_id": "3633", + "id": "18207", + "meta_category": "file", + "name": "file", + "sharing_group_id": "0", + "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", + "template_version": "22", + "timestamp": "2021-05-21T09:32:28.000Z", + "uuid": "42a88ad4-6834-46a9-a18b-aff9e078a4ea" + }, + "orgc": { + "id": "1", + "local": true, + "name": "ORGNAME", + "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" + } + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "provider": "misp", + "scanner_stats": 0 + } + }, + "user": { + "email": "admin@admin.test", + "roles": [ + "reporting_user" + ] + } + }, + { + "@timestamp": "2021-05-21T10:22:12.000Z", + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Payload delivery\",\"comment\":\"filename contect for test event 3\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3633\",\"first_seen\":null,\"id\":\"266263\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1621589229\",\"to_ids\":false,\"type\":\"filename\",\"uuid\":\"3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3\",\"value\":\"thetestfile.txt\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Payload delivery\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3633\",\"first_seen\":null,\"id\":\"266264\",\"last_seen\":null,\"object_id\":\"18207\",\"object_relation\":\"md5\",\"sharing_group_id\":\"0\",\"timestamp\":\"1621589548\",\"to_ids\":true,\"type\":\"md5\",\"uuid\":\"787b3822-0bec-4278-b34a-5d649e7bce05\",\"value\":\"70461da8b94c6ca5d2fda3260c5a8c3b\"},\"ObjectReference\":[],\"comment\":\"File object for event 3\",\"deleted\":false,\"description\":\"File object describing a file with meta-information\",\"distribution\":\"5\",\"event_id\":\"3633\",\"first_seen\":null,\"id\":\"18207\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"file\",\"sharing_group_id\":\"0\",\"template_uuid\":\"688c46fb-5edb-40a3-8273-1af7923e2215\",\"template_version\":\"22\",\"timestamp\":\"1621589548\",\"uuid\":\"42a88ad4-6834-46a9-a18b-aff9e078a4ea\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[{\"Event\":{\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"analysis\":\"0\",\"date\":\"2021-05-21\",\"distribution\":\"1\",\"id\":\"3631\",\"info\":\"Test event 1 just atrributes\",\"org_id\":\"1\",\"orgc_id\":\"1\",\"published\":false,\"threat_level_id\":\"1\",\"timestamp\":\"1621588162\",\"uuid\":\"8ca56ae9-3747-4172-93d2-808da1a4eaf3\"}}],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"6\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3633\",\"info\":\"Test event 3 objects and attributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1621592532\",\"uuid\":\"4edb20c7-8175-484d-bdcd-fce6872c1ef3\"}}", + "type": [ + "indicator" + ] + }, + "misp": { + "attribute": { + "category": "Payload delivery", + "comment": "", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "3633", + "id": "266264", + "object_id": "18207", + "object_relation": "md5", + "sharing_group_id": "0", + "timestamp": "2021-05-21T09:32:28.000Z", + "to_ids": true, + "type": "md5", + "uuid": "787b3822-0bec-4278-b34a-5d649e7bce05" + }, + "context": { + "attribute": { + "category": "Payload delivery", + "comment": "filename contect for test event 3", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "3633", + "id": "266263", + "object_id": "0", + "sharing_group_id": "0", + "timestamp": "2021-05-21T09:27:09.000Z", + "to_ids": false, + "type": "filename", + "uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3", + "value": "thetestfile.txt" + } + }, + "event": { + "attribute_count": 6, + "date": "2021-05-21", + "disable_correlation": false, + "distribution": 1, + "extends_uuid": "", + "id": "3633", + "info": "Test event 3 objects and attributes", + "locked": false, + "org_id": "1", + "orgc_id": "1", + "proposal_email_lock": false, + "publish_timestamp": "1970-01-01T00:00:00.000Z", + "published": false, + "sharing_group_id": "0", + "threat_level_id": 1, + "uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3" + }, + "object": { + "comment": "File object for event 3", + "deleted": false, + "description": "File object describing a file with meta-information", + "distribution": 5, + "event_id": "3633", + "id": "18207", + "meta_category": "file", + "name": "file", + "sharing_group_id": "0", + "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", + "template_version": "22", + "timestamp": "2021-05-21T09:32:28.000Z", + "uuid": "42a88ad4-6834-46a9-a18b-aff9e078a4ea" + }, + "orgc": { + "id": "1", + "local": true, + "name": "ORGNAME", + "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" + } + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "file": { + "hash": { + "md5": "70461da8b94c6ca5d2fda3260c5a8c3b" + } + }, + "provider": "misp", + "scanner_stats": 0, + "type": "file" + } + }, + "user": { + "email": "admin@admin.test", + "roles": [ + "reporting_user" + ] + } + }, + { + "@timestamp": "2021-05-21T10:22:12.000Z", + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Payload delivery\",\"comment\":\"filename contect for test event 3\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3633\",\"first_seen\":null,\"id\":\"266263\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1621589229\",\"to_ids\":false,\"type\":\"filename\",\"uuid\":\"3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3\",\"value\":\"thetestfile.txt\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Payload delivery\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3633\",\"first_seen\":null,\"id\":\"266265\",\"last_seen\":null,\"object_id\":\"18207\",\"object_relation\":\"sha256\",\"sharing_group_id\":\"0\",\"timestamp\":\"1621589548\",\"to_ids\":true,\"type\":\"sha256\",\"uuid\":\"657c5f2b-9d68-4ff7-a9ad-ab9e6a6c953e\",\"value\":\"f33c27745f2bd87344be790465ef984a972fd539dc83bd4f61d4242c607ef1ee\"},\"ObjectReference\":[],\"comment\":\"File object for event 3\",\"deleted\":false,\"description\":\"File object describing a file with meta-information\",\"distribution\":\"5\",\"event_id\":\"3633\",\"first_seen\":null,\"id\":\"18207\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"file\",\"sharing_group_id\":\"0\",\"template_uuid\":\"688c46fb-5edb-40a3-8273-1af7923e2215\",\"template_version\":\"22\",\"timestamp\":\"1621589548\",\"uuid\":\"42a88ad4-6834-46a9-a18b-aff9e078a4ea\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[{\"Event\":{\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"analysis\":\"0\",\"date\":\"2021-05-21\",\"distribution\":\"1\",\"id\":\"3631\",\"info\":\"Test event 1 just atrributes\",\"org_id\":\"1\",\"orgc_id\":\"1\",\"published\":false,\"threat_level_id\":\"1\",\"timestamp\":\"1621588162\",\"uuid\":\"8ca56ae9-3747-4172-93d2-808da1a4eaf3\"}}],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"6\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3633\",\"info\":\"Test event 3 objects and attributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1621592532\",\"uuid\":\"4edb20c7-8175-484d-bdcd-fce6872c1ef3\"}}", + "type": [ + "indicator" + ] + }, + "misp": { + "attribute": { + "category": "Payload delivery", + "comment": "", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "3633", + "id": "266265", + "object_id": "18207", + "object_relation": "sha256", + "sharing_group_id": "0", + "timestamp": "2021-05-21T09:32:28.000Z", + "to_ids": true, + "type": "sha256", + "uuid": "657c5f2b-9d68-4ff7-a9ad-ab9e6a6c953e" + }, + "context": { + "attribute": { + "category": "Payload delivery", + "comment": "filename contect for test event 3", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "3633", + "id": "266263", + "object_id": "0", + "sharing_group_id": "0", + "timestamp": "2021-05-21T09:27:09.000Z", + "to_ids": false, + "type": "filename", + "uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3", + "value": "thetestfile.txt" + } + }, + "event": { + "attribute_count": 6, + "date": "2021-05-21", + "disable_correlation": false, + "distribution": 1, + "extends_uuid": "", + "id": "3633", + "info": "Test event 3 objects and attributes", + "locked": false, + "org_id": "1", + "orgc_id": "1", + "proposal_email_lock": false, + "publish_timestamp": "1970-01-01T00:00:00.000Z", + "published": false, + "sharing_group_id": "0", + "threat_level_id": 1, + "uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3" + }, + "object": { + "comment": "File object for event 3", + "deleted": false, + "description": "File object describing a file with meta-information", + "distribution": 5, + "event_id": "3633", + "id": "18207", + "meta_category": "file", + "name": "file", + "sharing_group_id": "0", + "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", + "template_version": "22", + "timestamp": "2021-05-21T09:32:28.000Z", + "uuid": "42a88ad4-6834-46a9-a18b-aff9e078a4ea" + }, + "orgc": { + "id": "1", + "local": true, + "name": "ORGNAME", + "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" + } + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "file": { + "hash": { + "sha256": "f33c27745f2bd87344be790465ef984a972fd539dc83bd4f61d4242c607ef1ee" + } + }, + "provider": "misp", + "scanner_stats": 0, + "type": "file" + } + }, + "user": { + "email": "admin@admin.test", + "roles": [ + "reporting_user" + ] + } + }, + { + "@timestamp": "2021-05-21T10:22:12.000Z", + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Payload delivery\",\"comment\":\"filename contect for test event 3\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3633\",\"first_seen\":null,\"id\":\"266263\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1621589229\",\"to_ids\":false,\"type\":\"filename\",\"uuid\":\"3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3\",\"value\":\"thetestfile.txt\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Payload delivery\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":true,\"distribution\":\"5\",\"event_id\":\"3633\",\"first_seen\":null,\"id\":\"266266\",\"last_seen\":null,\"object_id\":\"18207\",\"object_relation\":\"filename\",\"sharing_group_id\":\"0\",\"timestamp\":\"1621589548\",\"to_ids\":true,\"type\":\"filename\",\"uuid\":\"6648d129-9200-431b-9b41-263a84f7c9d2\",\"value\":\"filenameofobject.txt\"},\"ObjectReference\":[],\"comment\":\"File object for event 3\",\"deleted\":false,\"description\":\"File object describing a file with meta-information\",\"distribution\":\"5\",\"event_id\":\"3633\",\"first_seen\":null,\"id\":\"18207\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"file\",\"sharing_group_id\":\"0\",\"template_uuid\":\"688c46fb-5edb-40a3-8273-1af7923e2215\",\"template_version\":\"22\",\"timestamp\":\"1621589548\",\"uuid\":\"42a88ad4-6834-46a9-a18b-aff9e078a4ea\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[{\"Event\":{\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"analysis\":\"0\",\"date\":\"2021-05-21\",\"distribution\":\"1\",\"id\":\"3631\",\"info\":\"Test event 1 just atrributes\",\"org_id\":\"1\",\"orgc_id\":\"1\",\"published\":false,\"threat_level_id\":\"1\",\"timestamp\":\"1621588162\",\"uuid\":\"8ca56ae9-3747-4172-93d2-808da1a4eaf3\"}}],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"6\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3633\",\"info\":\"Test event 3 objects and attributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1621592532\",\"uuid\":\"4edb20c7-8175-484d-bdcd-fce6872c1ef3\"}}", + "type": [ + "indicator" + ] + }, + "misp": { + "attribute": { + "category": "Payload delivery", + "comment": "", + "deleted": false, + "disable_correlation": true, + "distribution": 5, + "event_id": "3633", + "id": "266266", + "object_id": "18207", + "object_relation": "filename", + "sharing_group_id": "0", + "timestamp": "2021-05-21T09:32:28.000Z", + "to_ids": true, + "type": "filename", + "uuid": "6648d129-9200-431b-9b41-263a84f7c9d2" + }, + "context": { + "attribute": { + "category": "Payload delivery", + "comment": "filename contect for test event 3", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "3633", + "id": "266263", + "object_id": "0", + "sharing_group_id": "0", + "timestamp": "2021-05-21T09:27:09.000Z", + "to_ids": false, + "type": "filename", + "uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3", + "value": "thetestfile.txt" + } + }, + "event": { + "attribute_count": 6, + "date": "2021-05-21", + "disable_correlation": false, + "distribution": 1, + "extends_uuid": "", + "id": "3633", + "info": "Test event 3 objects and attributes", + "locked": false, + "org_id": "1", + "orgc_id": "1", + "proposal_email_lock": false, + "publish_timestamp": "1970-01-01T00:00:00.000Z", + "published": false, + "sharing_group_id": "0", + "threat_level_id": 1, + "uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3" + }, + "object": { + "comment": "File object for event 3", + "deleted": false, + "description": "File object describing a file with meta-information", + "distribution": 5, + "event_id": "3633", + "id": "18207", + "meta_category": "file", + "name": "file", + "sharing_group_id": "0", + "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", + "template_version": "22", + "timestamp": "2021-05-21T09:32:28.000Z", + "uuid": "42a88ad4-6834-46a9-a18b-aff9e078a4ea" + }, + "orgc": { + "id": "1", + "local": true, + "name": "ORGNAME", + "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" + } + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "file": { + "name": "filenameofobject.txt" + }, + "provider": "misp", + "scanner_stats": 0, + "type": "file" + } + }, + "user": { + "email": "admin@admin.test", + "roles": [ + "reporting_user" + ] + } + }, + { + "@timestamp": "2021-05-21T10:09:30.000Z", + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"Event\":{\"Attribute\":[],\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Other\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":true,\"distribution\":\"5\",\"event_id\":\"3634\",\"first_seen\":null,\"id\":\"266269\",\"last_seen\":null,\"object_id\":\"18208\",\"object_relation\":\"text\",\"sharing_group_id\":\"0\",\"timestamp\":\"1621591770\",\"to_ids\":false,\"type\":\"text\",\"uuid\":\"25d2f181-26ae-4d6f-b4fd-85b9d1f82e67\",\"value\":\"Free text in the file object\"},\"ObjectReference\":[],\"comment\":\"File object for test event 4 \",\"deleted\":false,\"description\":\"File object describing a file with meta-information\",\"distribution\":\"5\",\"event_id\":\"3634\",\"first_seen\":null,\"id\":\"18208\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"file\",\"sharing_group_id\":\"0\",\"template_uuid\":\"688c46fb-5edb-40a3-8273-1af7923e2215\",\"template_version\":\"22\",\"timestamp\":\"1621591770\",\"uuid\":\"190c762c-a389-4ecc-8f6e-68f92d42adef\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"3\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3634\",\"info\":\"Test event 4 with object\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"3\",\"timestamp\":\"1621591770\",\"uuid\":\"d98a8418-9f90-4b50-a623-6921ca5b356d\"}}", + "type": [ + "indicator" + ] + }, + "misp": { + "attribute": { + "category": "Other", + "comment": "", + "deleted": false, + "disable_correlation": true, + "distribution": 5, + "event_id": "3634", + "id": "266269", + "object_id": "18208", + "object_relation": "text", + "sharing_group_id": "0", + "timestamp": "2021-05-21T10:09:30.000Z", + "to_ids": false, + "type": "text", + "uuid": "25d2f181-26ae-4d6f-b4fd-85b9d1f82e67", + "value": "Free text in the file object" + }, + "event": { + "attribute_count": 3, + "date": "2021-05-21", + "disable_correlation": false, + "distribution": 1, + "extends_uuid": "", + "id": "3634", + "info": "Test event 4 with object", + "locked": false, + "org_id": "1", + "orgc_id": "1", + "proposal_email_lock": false, + "publish_timestamp": "1970-01-01T00:00:00.000Z", + "published": false, + "sharing_group_id": "0", + "threat_level_id": 3, + "uuid": "d98a8418-9f90-4b50-a623-6921ca5b356d" + }, + "object": { + "comment": "File object for test event 4 ", + "deleted": false, + "description": "File object describing a file with meta-information", + "distribution": 5, + "event_id": "3634", + "id": "18208", + "meta_category": "file", + "name": "file", + "sharing_group_id": "0", + "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", + "template_version": "22", + "timestamp": "2021-05-21T10:09:30.000Z", + "uuid": "190c762c-a389-4ecc-8f6e-68f92d42adef" + }, + "orgc": { + "id": "1", + "local": true, + "name": "ORGNAME", + "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" + } + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "provider": "misp", + "scanner_stats": 0 + } + }, + "user": { + "email": "admin@admin.test", + "roles": [ + "reporting_user" + ] + } + }, + { + "@timestamp": "2021-05-21T10:09:30.000Z", + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"Event\":{\"Attribute\":[],\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Payload delivery\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3634\",\"first_seen\":null,\"id\":\"266270\",\"last_seen\":null,\"object_id\":\"18208\",\"object_relation\":\"sha256\",\"sharing_group_id\":\"0\",\"timestamp\":\"1621591770\",\"to_ids\":true,\"type\":\"sha256\",\"uuid\":\"4e579782-346b-44b3-b72c-1cae8d87cb25\",\"value\":\"567caa7653723f8818ec9eb6f2e27f6d9d8c0aca0c96fc457659340e7bbdc666\"},\"ObjectReference\":[],\"comment\":\"File object for test event 4 \",\"deleted\":false,\"description\":\"File object describing a file with meta-information\",\"distribution\":\"5\",\"event_id\":\"3634\",\"first_seen\":null,\"id\":\"18208\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"file\",\"sharing_group_id\":\"0\",\"template_uuid\":\"688c46fb-5edb-40a3-8273-1af7923e2215\",\"template_version\":\"22\",\"timestamp\":\"1621591770\",\"uuid\":\"190c762c-a389-4ecc-8f6e-68f92d42adef\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"3\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3634\",\"info\":\"Test event 4 with object\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"3\",\"timestamp\":\"1621591770\",\"uuid\":\"d98a8418-9f90-4b50-a623-6921ca5b356d\"}}", + "type": [ + "indicator" + ] + }, + "misp": { + "attribute": { + "category": "Payload delivery", + "comment": "", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "3634", + "id": "266270", + "object_id": "18208", + "object_relation": "sha256", + "sharing_group_id": "0", + "timestamp": "2021-05-21T10:09:30.000Z", + "to_ids": true, + "type": "sha256", + "uuid": "4e579782-346b-44b3-b72c-1cae8d87cb25" + }, + "event": { + "attribute_count": 3, + "date": "2021-05-21", + "disable_correlation": false, + "distribution": 1, + "extends_uuid": "", + "id": "3634", + "info": "Test event 4 with object", + "locked": false, + "org_id": "1", + "orgc_id": "1", + "proposal_email_lock": false, + "publish_timestamp": "1970-01-01T00:00:00.000Z", + "published": false, + "sharing_group_id": "0", + "threat_level_id": 3, + "uuid": "d98a8418-9f90-4b50-a623-6921ca5b356d" + }, + "object": { + "comment": "File object for test event 4 ", + "deleted": false, + "description": "File object describing a file with meta-information", + "distribution": 5, + "event_id": "3634", + "id": "18208", + "meta_category": "file", + "name": "file", + "sharing_group_id": "0", + "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", + "template_version": "22", + "timestamp": "2021-05-21T10:09:30.000Z", + "uuid": "190c762c-a389-4ecc-8f6e-68f92d42adef" + }, + "orgc": { + "id": "1", + "local": true, + "name": "ORGNAME", + "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" + } + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "file": { + "hash": { + "sha256": "567caa7653723f8818ec9eb6f2e27f6d9d8c0aca0c96fc457659340e7bbdc666" + } + }, + "provider": "misp", + "scanner_stats": 0, + "type": "file" + } + }, + "user": { + "email": "admin@admin.test", + "roles": [ + "reporting_user" + ] + } + }, + { + "@timestamp": "2021-05-21T10:09:30.000Z", + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"Event\":{\"Attribute\":[],\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Payload delivery\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":true,\"distribution\":\"5\",\"event_id\":\"3634\",\"first_seen\":null,\"id\":\"266271\",\"last_seen\":null,\"object_id\":\"18208\",\"object_relation\":\"filename\",\"sharing_group_id\":\"0\",\"timestamp\":\"1621591770\",\"to_ids\":true,\"type\":\"filename\",\"uuid\":\"a40343b5-a480-4288-9b0c-7ae074a77140\",\"value\":\"filenameinmispobject.txt\"},\"ObjectReference\":[],\"comment\":\"File object for test event 4 \",\"deleted\":false,\"description\":\"File object describing a file with meta-information\",\"distribution\":\"5\",\"event_id\":\"3634\",\"first_seen\":null,\"id\":\"18208\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"file\",\"sharing_group_id\":\"0\",\"template_uuid\":\"688c46fb-5edb-40a3-8273-1af7923e2215\",\"template_version\":\"22\",\"timestamp\":\"1621591770\",\"uuid\":\"190c762c-a389-4ecc-8f6e-68f92d42adef\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"3\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3634\",\"info\":\"Test event 4 with object\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"3\",\"timestamp\":\"1621591770\",\"uuid\":\"d98a8418-9f90-4b50-a623-6921ca5b356d\"}}", + "type": [ + "indicator" + ] + }, + "misp": { + "attribute": { + "category": "Payload delivery", + "comment": "", + "deleted": false, + "disable_correlation": true, + "distribution": 5, + "event_id": "3634", + "id": "266271", + "object_id": "18208", + "object_relation": "filename", + "sharing_group_id": "0", + "timestamp": "2021-05-21T10:09:30.000Z", + "to_ids": true, + "type": "filename", + "uuid": "a40343b5-a480-4288-9b0c-7ae074a77140" + }, + "event": { + "attribute_count": 3, + "date": "2021-05-21", + "disable_correlation": false, + "distribution": 1, + "extends_uuid": "", + "id": "3634", + "info": "Test event 4 with object", + "locked": false, + "org_id": "1", + "orgc_id": "1", + "proposal_email_lock": false, + "publish_timestamp": "1970-01-01T00:00:00.000Z", + "published": false, + "sharing_group_id": "0", + "threat_level_id": 3, + "uuid": "d98a8418-9f90-4b50-a623-6921ca5b356d" + }, + "object": { + "comment": "File object for test event 4 ", + "deleted": false, + "description": "File object describing a file with meta-information", + "distribution": 5, + "event_id": "3634", + "id": "18208", + "meta_category": "file", + "name": "file", + "sharing_group_id": "0", + "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", + "template_version": "22", + "timestamp": "2021-05-21T10:09:30.000Z", + "uuid": "190c762c-a389-4ecc-8f6e-68f92d42adef" + }, + "orgc": { + "id": "1", + "local": true, + "name": "ORGNAME", + "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" + } + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "file": { + "name": "filenameinmispobject.txt" + }, + "provider": "misp", + "scanner_stats": 0, + "type": "file" + } + }, + "user": { + "email": "admin@admin.test", + "roles": [ + "reporting_user" + ] + } + }, + { + "@timestamp": "2021-05-21T10:19:39.000Z", + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"Event\":{\"Attribute\":[],\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Other\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":true,\"distribution\":\"5\",\"event_id\":\"3635\",\"first_seen\":null,\"id\":\"266272\",\"last_seen\":null,\"object_id\":\"18209\",\"object_relation\":\"text\",\"sharing_group_id\":\"0\",\"timestamp\":\"1621592379\",\"to_ids\":false,\"type\":\"text\",\"uuid\":\"188a6a15-5704-4e4f-acba-22c55ab08fe8\",\"value\":\"Object 5 free text attribute in object\"},\"ObjectReference\":[],\"comment\":\"event 5 object comment\",\"deleted\":false,\"description\":\"File object describing a file with meta-information\",\"distribution\":\"5\",\"event_id\":\"3635\",\"first_seen\":null,\"id\":\"18209\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"file\",\"sharing_group_id\":\"0\",\"template_uuid\":\"688c46fb-5edb-40a3-8273-1af7923e2215\",\"template_version\":\"22\",\"timestamp\":\"1621592379\",\"uuid\":\"a62cb6fb-fa1c-45ce-abb8-b46da23631d5\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"5\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3635\",\"info\":\"Test event 5 with an object\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1621592379\",\"uuid\":\"8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e\"}}", + "type": [ + "indicator" + ] + }, + "misp": { + "attribute": { + "category": "Other", + "comment": "", + "deleted": false, + "disable_correlation": true, + "distribution": 5, + "event_id": "3635", + "id": "266272", + "object_id": "18209", + "object_relation": "text", + "sharing_group_id": "0", + "timestamp": "2021-05-21T10:19:39.000Z", + "to_ids": false, + "type": "text", + "uuid": "188a6a15-5704-4e4f-acba-22c55ab08fe8", + "value": "Object 5 free text attribute in object" + }, + "event": { + "attribute_count": 5, + "date": "2021-05-21", + "disable_correlation": false, + "distribution": 1, + "extends_uuid": "", + "id": "3635", + "info": "Test event 5 with an object", + "locked": false, + "org_id": "1", + "orgc_id": "1", + "proposal_email_lock": false, + "publish_timestamp": "1970-01-01T00:00:00.000Z", + "published": false, + "sharing_group_id": "0", + "threat_level_id": 1, + "uuid": "8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e" + }, + "object": { + "comment": "event 5 object comment", + "deleted": false, + "description": "File object describing a file with meta-information", + "distribution": 5, + "event_id": "3635", + "id": "18209", + "meta_category": "file", + "name": "file", + "sharing_group_id": "0", + "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", + "template_version": "22", + "timestamp": "2021-05-21T10:19:39.000Z", + "uuid": "a62cb6fb-fa1c-45ce-abb8-b46da23631d5" + }, + "orgc": { + "id": "1", + "local": true, + "name": "ORGNAME", + "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" + } + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "provider": "misp", + "scanner_stats": 0 + } + }, + "user": { + "email": "admin@admin.test", + "roles": [ + "reporting_user" + ] + } + }, + { + "@timestamp": "2021-05-21T10:19:39.000Z", + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"Event\":{\"Attribute\":[],\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Other\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":true,\"distribution\":\"5\",\"event_id\":\"3635\",\"first_seen\":null,\"id\":\"266275\",\"last_seen\":null,\"object_id\":\"18209\",\"object_relation\":\"entropy\",\"sharing_group_id\":\"0\",\"timestamp\":\"1621592379\",\"to_ids\":false,\"type\":\"float\",\"uuid\":\"2400b103-4a33-4f92-ac04-a558b6c6e252\",\"value\":\"0.53535445\"},\"ObjectReference\":[],\"comment\":\"event 5 object comment\",\"deleted\":false,\"description\":\"File object describing a file with meta-information\",\"distribution\":\"5\",\"event_id\":\"3635\",\"first_seen\":null,\"id\":\"18209\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"file\",\"sharing_group_id\":\"0\",\"template_uuid\":\"688c46fb-5edb-40a3-8273-1af7923e2215\",\"template_version\":\"22\",\"timestamp\":\"1621592379\",\"uuid\":\"a62cb6fb-fa1c-45ce-abb8-b46da23631d5\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"5\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3635\",\"info\":\"Test event 5 with an object\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1621592379\",\"uuid\":\"8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e\"}}", + "type": [ + "indicator" + ] + }, + "misp": { + "attribute": { + "category": "Other", + "comment": "", + "deleted": false, + "disable_correlation": true, + "distribution": 5, + "event_id": "3635", + "id": "266275", + "object_id": "18209", + "object_relation": "entropy", + "sharing_group_id": "0", + "timestamp": "2021-05-21T10:19:39.000Z", + "to_ids": false, + "type": "float", + "uuid": "2400b103-4a33-4f92-ac04-a558b6c6e252", + "value": "0.53535445" + }, + "event": { + "attribute_count": 5, + "date": "2021-05-21", + "disable_correlation": false, + "distribution": 1, + "extends_uuid": "", + "id": "3635", + "info": "Test event 5 with an object", + "locked": false, + "org_id": "1", + "orgc_id": "1", + "proposal_email_lock": false, + "publish_timestamp": "1970-01-01T00:00:00.000Z", + "published": false, + "sharing_group_id": "0", + "threat_level_id": 1, + "uuid": "8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e" + }, + "object": { + "comment": "event 5 object comment", + "deleted": false, + "description": "File object describing a file with meta-information", + "distribution": 5, + "event_id": "3635", + "id": "18209", + "meta_category": "file", + "name": "file", + "sharing_group_id": "0", + "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", + "template_version": "22", + "timestamp": "2021-05-21T10:19:39.000Z", + "uuid": "a62cb6fb-fa1c-45ce-abb8-b46da23631d5" + }, + "orgc": { + "id": "1", + "local": true, + "name": "ORGNAME", + "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" + } + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "provider": "misp", + "scanner_stats": 0 + } + }, + "user": { + "email": "admin@admin.test", + "roles": [ + "reporting_user" + ] + } + }, + { + "@timestamp": "2021-05-21T10:19:39.000Z", + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"Event\":{\"Attribute\":[],\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Other\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":true,\"distribution\":\"5\",\"event_id\":\"3635\",\"first_seen\":null,\"id\":\"266276\",\"last_seen\":null,\"object_id\":\"18209\",\"object_relation\":\"size-in-bytes\",\"sharing_group_id\":\"0\",\"timestamp\":\"1621592379\",\"to_ids\":false,\"type\":\"size-in-bytes\",\"uuid\":\"e5ea3ec0-cdf4-4d3e-bd66-a7bf384fd3d7\",\"value\":\"55555\"},\"ObjectReference\":[],\"comment\":\"event 5 object comment\",\"deleted\":false,\"description\":\"File object describing a file with meta-information\",\"distribution\":\"5\",\"event_id\":\"3635\",\"first_seen\":null,\"id\":\"18209\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"file\",\"sharing_group_id\":\"0\",\"template_uuid\":\"688c46fb-5edb-40a3-8273-1af7923e2215\",\"template_version\":\"22\",\"timestamp\":\"1621592379\",\"uuid\":\"a62cb6fb-fa1c-45ce-abb8-b46da23631d5\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"5\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3635\",\"info\":\"Test event 5 with an object\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1621592379\",\"uuid\":\"8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e\"}}", + "type": [ + "indicator" + ] + }, + "misp": { + "attribute": { + "category": "Other", + "comment": "", + "deleted": false, + "disable_correlation": true, + "distribution": 5, + "event_id": "3635", + "id": "266276", + "object_id": "18209", + "object_relation": "size-in-bytes", + "sharing_group_id": "0", + "timestamp": "2021-05-21T10:19:39.000Z", + "to_ids": false, + "type": "size-in-bytes", + "uuid": "e5ea3ec0-cdf4-4d3e-bd66-a7bf384fd3d7", + "value": "55555" + }, + "event": { + "attribute_count": 5, + "date": "2021-05-21", + "disable_correlation": false, + "distribution": 1, + "extends_uuid": "", + "id": "3635", + "info": "Test event 5 with an object", + "locked": false, + "org_id": "1", + "orgc_id": "1", + "proposal_email_lock": false, + "publish_timestamp": "1970-01-01T00:00:00.000Z", + "published": false, + "sharing_group_id": "0", + "threat_level_id": 1, + "uuid": "8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e" + }, + "object": { + "comment": "event 5 object comment", + "deleted": false, + "description": "File object describing a file with meta-information", + "distribution": 5, + "event_id": "3635", + "id": "18209", + "meta_category": "file", + "name": "file", + "sharing_group_id": "0", + "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", + "template_version": "22", + "timestamp": "2021-05-21T10:19:39.000Z", + "uuid": "a62cb6fb-fa1c-45ce-abb8-b46da23631d5" + }, + "orgc": { + "id": "1", + "local": true, + "name": "ORGNAME", + "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" + } + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "provider": "misp", + "scanner_stats": 0 + } + }, + "user": { + "email": "admin@admin.test", + "roles": [ + "reporting_user" + ] + } + }, + { + "@timestamp": "2021-05-21T10:19:39.000Z", + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"Event\":{\"Attribute\":[],\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Payload delivery\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3635\",\"first_seen\":null,\"id\":\"266273\",\"last_seen\":null,\"object_id\":\"18209\",\"object_relation\":\"sha256\",\"sharing_group_id\":\"0\",\"timestamp\":\"1621592379\",\"to_ids\":true,\"type\":\"sha256\",\"uuid\":\"803f10bd-9087-4169-8699-277579a92693\",\"value\":\"567caa7653723f8818ec9eb6f2e27f6d9d8c0aca0c96fc457659340e7bbdc665\"},\"ObjectReference\":[],\"comment\":\"event 5 object comment\",\"deleted\":false,\"description\":\"File object describing a file with meta-information\",\"distribution\":\"5\",\"event_id\":\"3635\",\"first_seen\":null,\"id\":\"18209\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"file\",\"sharing_group_id\":\"0\",\"template_uuid\":\"688c46fb-5edb-40a3-8273-1af7923e2215\",\"template_version\":\"22\",\"timestamp\":\"1621592379\",\"uuid\":\"a62cb6fb-fa1c-45ce-abb8-b46da23631d5\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"5\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3635\",\"info\":\"Test event 5 with an object\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1621592379\",\"uuid\":\"8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e\"}}", + "type": [ + "indicator" + ] + }, + "misp": { + "attribute": { + "category": "Payload delivery", + "comment": "", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "3635", + "id": "266273", + "object_id": "18209", + "object_relation": "sha256", + "sharing_group_id": "0", + "timestamp": "2021-05-21T10:19:39.000Z", + "to_ids": true, + "type": "sha256", + "uuid": "803f10bd-9087-4169-8699-277579a92693" + }, + "event": { + "attribute_count": 5, + "date": "2021-05-21", + "disable_correlation": false, + "distribution": 1, + "extends_uuid": "", + "id": "3635", + "info": "Test event 5 with an object", + "locked": false, + "org_id": "1", + "orgc_id": "1", + "proposal_email_lock": false, + "publish_timestamp": "1970-01-01T00:00:00.000Z", + "published": false, + "sharing_group_id": "0", + "threat_level_id": 1, + "uuid": "8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e" + }, + "object": { + "comment": "event 5 object comment", + "deleted": false, + "description": "File object describing a file with meta-information", + "distribution": 5, + "event_id": "3635", + "id": "18209", + "meta_category": "file", + "name": "file", + "sharing_group_id": "0", + "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", + "template_version": "22", + "timestamp": "2021-05-21T10:19:39.000Z", + "uuid": "a62cb6fb-fa1c-45ce-abb8-b46da23631d5" + }, + "orgc": { + "id": "1", + "local": true, + "name": "ORGNAME", + "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" + } + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "file": { + "hash": { + "sha256": "567caa7653723f8818ec9eb6f2e27f6d9d8c0aca0c96fc457659340e7bbdc665" + } + }, + "provider": "misp", + "scanner_stats": 0, + "type": "file" + } + }, + "user": { + "email": "admin@admin.test", + "roles": [ + "reporting_user" + ] + } + }, + { + "@timestamp": "2021-05-21T10:19:39.000Z", + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"Event\":{\"Attribute\":[],\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Payload delivery\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":true,\"distribution\":\"5\",\"event_id\":\"3635\",\"first_seen\":null,\"id\":\"266274\",\"last_seen\":null,\"object_id\":\"18209\",\"object_relation\":\"filename\",\"sharing_group_id\":\"0\",\"timestamp\":\"1621592379\",\"to_ids\":true,\"type\":\"filename\",\"uuid\":\"e5c7a9f0-c0e1-4024-9ab8-de8a1b403e4f\",\"value\":\"object5.txt\"},\"ObjectReference\":[],\"comment\":\"event 5 object comment\",\"deleted\":false,\"description\":\"File object describing a file with meta-information\",\"distribution\":\"5\",\"event_id\":\"3635\",\"first_seen\":null,\"id\":\"18209\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"file\",\"sharing_group_id\":\"0\",\"template_uuid\":\"688c46fb-5edb-40a3-8273-1af7923e2215\",\"template_version\":\"22\",\"timestamp\":\"1621592379\",\"uuid\":\"a62cb6fb-fa1c-45ce-abb8-b46da23631d5\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"5\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3635\",\"info\":\"Test event 5 with an object\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1621592379\",\"uuid\":\"8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e\"}}", + "type": [ + "indicator" + ] + }, + "misp": { + "attribute": { + "category": "Payload delivery", + "comment": "", + "deleted": false, + "disable_correlation": true, + "distribution": 5, + "event_id": "3635", + "id": "266274", + "object_id": "18209", + "object_relation": "filename", + "sharing_group_id": "0", + "timestamp": "2021-05-21T10:19:39.000Z", + "to_ids": true, + "type": "filename", + "uuid": "e5c7a9f0-c0e1-4024-9ab8-de8a1b403e4f" + }, + "event": { + "attribute_count": 5, + "date": "2021-05-21", + "disable_correlation": false, + "distribution": 1, + "extends_uuid": "", + "id": "3635", + "info": "Test event 5 with an object", + "locked": false, + "org_id": "1", + "orgc_id": "1", + "proposal_email_lock": false, + "publish_timestamp": "1970-01-01T00:00:00.000Z", + "published": false, + "sharing_group_id": "0", + "threat_level_id": 1, + "uuid": "8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e" + }, + "object": { + "comment": "event 5 object comment", + "deleted": false, + "description": "File object describing a file with meta-information", + "distribution": 5, + "event_id": "3635", + "id": "18209", + "meta_category": "file", + "name": "file", + "sharing_group_id": "0", + "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", + "template_version": "22", + "timestamp": "2021-05-21T10:19:39.000Z", + "uuid": "a62cb6fb-fa1c-45ce-abb8-b46da23631d5" + }, + "orgc": { + "id": "1", + "local": true, + "name": "ORGNAME", + "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" + } + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "file": { + "name": "object5.txt" + }, + "provider": "misp", + "scanner_stats": 0, + "type": "file" + } + }, + "user": { + "email": "admin@admin.test", + "roles": [ + "reporting_user" + ] + } + }, + { + "@timestamp": "2021-05-28T11:19:41.000Z", + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Artifacts dropped\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"266277\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1622200249\",\"to_ids\":false,\"type\":\"windows-service-name\",\"uuid\":\"3bd56a61-77f0-4885-8d1c-8bd2e39b65fb\",\"value\":\"badmojopipe\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Other\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":true,\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"266278\",\"last_seen\":null,\"object_id\":\"18210\",\"object_relation\":\"text\",\"sharing_group_id\":\"0\",\"timestamp\":\"1622200348\",\"to_ids\":false,\"type\":\"text\",\"uuid\":\"955e34a5-a630-42c9-868d-6e3dcb575987\",\"value\":\"Excutable create bad pipe\"},\"ObjectReference\":[],\"comment\":\"\",\"deleted\":false,\"description\":\"File object describing a file with meta-information\",\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"18210\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"file\",\"sharing_group_id\":\"0\",\"template_uuid\":\"688c46fb-5edb-40a3-8273-1af7923e2215\",\"template_version\":\"22\",\"timestamp\":\"1622200348\",\"uuid\":\"afe43d99-d8b6-47fa-8e7b-3d3ece2f8366\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"9\",\"date\":\"2021-05-28\",\"disable_correlation\":false,\"distribution\":\"0\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3636\",\"info\":\"Test event 6 with multiple objects and multiple attributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1622200781\",\"uuid\":\"81aea1d1-bb23-4bcd-9b0c-496e9ce028df\"}}", + "type": [ + "indicator" + ] + }, + "misp": { + "attribute": { + "category": "Other", + "comment": "", + "deleted": false, + "disable_correlation": true, + "distribution": 5, + "event_id": "3636", + "id": "266278", + "object_id": "18210", + "object_relation": "text", + "sharing_group_id": "0", + "timestamp": "2021-05-28T11:12:28.000Z", + "to_ids": false, + "type": "text", + "uuid": "955e34a5-a630-42c9-868d-6e3dcb575987", + "value": "Excutable create bad pipe" + }, + "context": { + "attribute": { + "category": "Artifacts dropped", + "comment": "", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "3636", + "id": "266277", + "object_id": "0", + "sharing_group_id": "0", + "timestamp": "2021-05-28T11:10:49.000Z", + "to_ids": false, + "type": "windows-service-name", + "uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", + "value": "badmojopipe" + } + }, + "event": { + "attribute_count": 9, + "date": "2021-05-28", + "disable_correlation": false, + "distribution": 0, + "extends_uuid": "", + "id": "3636", + "info": "Test event 6 with multiple objects and multiple attributes", + "locked": false, + "org_id": "1", + "orgc_id": "1", + "proposal_email_lock": false, + "publish_timestamp": "1970-01-01T00:00:00.000Z", + "published": false, + "sharing_group_id": "0", + "threat_level_id": 1, + "uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df" + }, + "object": { + "comment": "", + "deleted": false, + "description": "File object describing a file with meta-information", + "distribution": 5, + "event_id": "3636", + "id": "18210", + "meta_category": "file", + "name": "file", + "sharing_group_id": "0", + "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", + "template_version": "22", + "timestamp": "2021-05-28T11:12:28.000Z", + "uuid": "afe43d99-d8b6-47fa-8e7b-3d3ece2f8366" + }, + "orgc": { + "id": "1", + "local": true, + "name": "ORGNAME", + "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" + } + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "provider": "misp", + "scanner_stats": 0 + } + }, + "user": { + "email": "admin@admin.test", + "roles": [ + "reporting_user" + ] + } + }, + { + "@timestamp": "2021-05-28T11:19:41.000Z", + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Artifacts dropped\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"266277\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1622200249\",\"to_ids\":false,\"type\":\"windows-service-name\",\"uuid\":\"3bd56a61-77f0-4885-8d1c-8bd2e39b65fb\",\"value\":\"badmojopipe\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Other\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":true,\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"266281\",\"last_seen\":null,\"object_id\":\"18211\",\"object_relation\":\"size-in-bytes\",\"sharing_group_id\":\"0\",\"timestamp\":\"1622200780\",\"to_ids\":false,\"type\":\"size-in-bytes\",\"uuid\":\"2fa7721b-ad73-4914-b082-8d44233ced98\",\"value\":\"3892\"},\"ObjectReference\":[],\"comment\":\"\",\"deleted\":false,\"description\":\"Object describing a section of a Portable Executable\",\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"18211\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"pe-section\",\"sharing_group_id\":\"0\",\"template_uuid\":\"198a17d2-a135-4b25-9a32-5aa4e632014a\",\"template_version\":\"3\",\"timestamp\":\"1622200780\",\"uuid\":\"023be568-34d6-4df4-ae88-f4de0dbfcd9d\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"9\",\"date\":\"2021-05-28\",\"disable_correlation\":false,\"distribution\":\"0\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3636\",\"info\":\"Test event 6 with multiple objects and multiple attributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1622200781\",\"uuid\":\"81aea1d1-bb23-4bcd-9b0c-496e9ce028df\"}}", + "type": [ + "indicator" + ] + }, + "misp": { + "attribute": { + "category": "Other", + "comment": "", + "deleted": false, + "disable_correlation": true, + "distribution": 5, + "event_id": "3636", + "id": "266281", + "object_id": "18211", + "object_relation": "size-in-bytes", + "sharing_group_id": "0", + "timestamp": "2021-05-28T11:19:40.000Z", + "to_ids": false, + "type": "size-in-bytes", + "uuid": "2fa7721b-ad73-4914-b082-8d44233ced98", + "value": "3892" + }, + "context": { + "attribute": { + "category": "Artifacts dropped", + "comment": "", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "3636", + "id": "266277", + "object_id": "0", + "sharing_group_id": "0", + "timestamp": "2021-05-28T11:10:49.000Z", + "to_ids": false, + "type": "windows-service-name", + "uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", + "value": "badmojopipe" + } + }, + "event": { + "attribute_count": 9, + "date": "2021-05-28", + "disable_correlation": false, + "distribution": 0, + "extends_uuid": "", + "id": "3636", + "info": "Test event 6 with multiple objects and multiple attributes", + "locked": false, + "org_id": "1", + "orgc_id": "1", + "proposal_email_lock": false, + "publish_timestamp": "1970-01-01T00:00:00.000Z", + "published": false, + "sharing_group_id": "0", + "threat_level_id": 1, + "uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df" + }, + "object": { + "comment": "", + "deleted": false, + "description": "Object describing a section of a Portable Executable", + "distribution": 5, + "event_id": "3636", + "id": "18211", + "meta_category": "file", + "name": "pe-section", + "sharing_group_id": "0", + "template_uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a", + "template_version": "3", + "timestamp": "2021-05-28T11:19:40.000Z", + "uuid": "023be568-34d6-4df4-ae88-f4de0dbfcd9d" + }, + "orgc": { + "id": "1", + "local": true, + "name": "ORGNAME", + "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" + } + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "provider": "misp", + "scanner_stats": 0 + } + }, + "user": { + "email": "admin@admin.test", + "roles": [ + "reporting_user" + ] + } + }, + { + "@timestamp": "2021-05-28T11:19:41.000Z", + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Artifacts dropped\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"266277\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1622200249\",\"to_ids\":false,\"type\":\"windows-service-name\",\"uuid\":\"3bd56a61-77f0-4885-8d1c-8bd2e39b65fb\",\"value\":\"badmojopipe\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Other\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":true,\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"266283\",\"last_seen\":null,\"object_id\":\"18211\",\"object_relation\":\"name\",\"sharing_group_id\":\"0\",\"timestamp\":\"1622200780\",\"to_ids\":false,\"type\":\"text\",\"uuid\":\"d35c1ff8-a69c-482b-8fb0-1182988d9468\",\"value\":\".data\"},\"ObjectReference\":[],\"comment\":\"\",\"deleted\":false,\"description\":\"Object describing a section of a Portable Executable\",\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"18211\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"pe-section\",\"sharing_group_id\":\"0\",\"template_uuid\":\"198a17d2-a135-4b25-9a32-5aa4e632014a\",\"template_version\":\"3\",\"timestamp\":\"1622200780\",\"uuid\":\"023be568-34d6-4df4-ae88-f4de0dbfcd9d\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"9\",\"date\":\"2021-05-28\",\"disable_correlation\":false,\"distribution\":\"0\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3636\",\"info\":\"Test event 6 with multiple objects and multiple attributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1622200781\",\"uuid\":\"81aea1d1-bb23-4bcd-9b0c-496e9ce028df\"}}", + "type": [ + "indicator" + ] + }, + "misp": { + "attribute": { + "category": "Other", + "comment": "", + "deleted": false, + "disable_correlation": true, + "distribution": 5, + "event_id": "3636", + "id": "266283", + "object_id": "18211", + "object_relation": "name", + "sharing_group_id": "0", + "timestamp": "2021-05-28T11:19:40.000Z", + "to_ids": false, + "type": "text", + "uuid": "d35c1ff8-a69c-482b-8fb0-1182988d9468", + "value": ".data" + }, + "context": { + "attribute": { + "category": "Artifacts dropped", + "comment": "", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "3636", + "id": "266277", + "object_id": "0", + "sharing_group_id": "0", + "timestamp": "2021-05-28T11:10:49.000Z", + "to_ids": false, + "type": "windows-service-name", + "uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", + "value": "badmojopipe" + } + }, + "event": { + "attribute_count": 9, + "date": "2021-05-28", + "disable_correlation": false, + "distribution": 0, + "extends_uuid": "", + "id": "3636", + "info": "Test event 6 with multiple objects and multiple attributes", + "locked": false, + "org_id": "1", + "orgc_id": "1", + "proposal_email_lock": false, + "publish_timestamp": "1970-01-01T00:00:00.000Z", + "published": false, + "sharing_group_id": "0", + "threat_level_id": 1, + "uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df" + }, + "object": { + "comment": "", + "deleted": false, + "description": "Object describing a section of a Portable Executable", + "distribution": 5, + "event_id": "3636", + "id": "18211", + "meta_category": "file", + "name": "pe-section", + "sharing_group_id": "0", + "template_uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a", + "template_version": "3", + "timestamp": "2021-05-28T11:19:40.000Z", + "uuid": "023be568-34d6-4df4-ae88-f4de0dbfcd9d" + }, + "orgc": { + "id": "1", + "local": true, + "name": "ORGNAME", + "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" + } + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "provider": "misp", + "scanner_stats": 0 + } + }, + "user": { + "email": "admin@admin.test", + "roles": [ + "reporting_user" + ] + } + }, + { + "@timestamp": "2021-05-28T11:19:41.000Z", + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Artifacts dropped\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"266277\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1622200249\",\"to_ids\":false,\"type\":\"windows-service-name\",\"uuid\":\"3bd56a61-77f0-4885-8d1c-8bd2e39b65fb\",\"value\":\"badmojopipe\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Other\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":true,\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"266284\",\"last_seen\":null,\"object_id\":\"18211\",\"object_relation\":\"text\",\"sharing_group_id\":\"0\",\"timestamp\":\"1622200780\",\"to_ids\":false,\"type\":\"text\",\"uuid\":\"dc11971a-a676-4676-b24c-a45a8791e0b0\",\"value\":\"Extracted zip archive data\"},\"ObjectReference\":[],\"comment\":\"\",\"deleted\":false,\"description\":\"Object describing a section of a Portable Executable\",\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"18211\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"pe-section\",\"sharing_group_id\":\"0\",\"template_uuid\":\"198a17d2-a135-4b25-9a32-5aa4e632014a\",\"template_version\":\"3\",\"timestamp\":\"1622200780\",\"uuid\":\"023be568-34d6-4df4-ae88-f4de0dbfcd9d\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"9\",\"date\":\"2021-05-28\",\"disable_correlation\":false,\"distribution\":\"0\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3636\",\"info\":\"Test event 6 with multiple objects and multiple attributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1622200781\",\"uuid\":\"81aea1d1-bb23-4bcd-9b0c-496e9ce028df\"}}", + "type": [ + "indicator" + ] + }, + "misp": { + "attribute": { + "category": "Other", + "comment": "", + "deleted": false, + "disable_correlation": true, + "distribution": 5, + "event_id": "3636", + "id": "266284", + "object_id": "18211", + "object_relation": "text", + "sharing_group_id": "0", + "timestamp": "2021-05-28T11:19:40.000Z", + "to_ids": false, + "type": "text", + "uuid": "dc11971a-a676-4676-b24c-a45a8791e0b0", + "value": "Extracted zip archive data" + }, + "context": { + "attribute": { + "category": "Artifacts dropped", + "comment": "", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "3636", + "id": "266277", + "object_id": "0", + "sharing_group_id": "0", + "timestamp": "2021-05-28T11:10:49.000Z", + "to_ids": false, + "type": "windows-service-name", + "uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", + "value": "badmojopipe" + } + }, + "event": { + "attribute_count": 9, + "date": "2021-05-28", + "disable_correlation": false, + "distribution": 0, + "extends_uuid": "", + "id": "3636", + "info": "Test event 6 with multiple objects and multiple attributes", + "locked": false, + "org_id": "1", + "orgc_id": "1", + "proposal_email_lock": false, + "publish_timestamp": "1970-01-01T00:00:00.000Z", + "published": false, + "sharing_group_id": "0", + "threat_level_id": 1, + "uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df" + }, + "object": { + "comment": "", + "deleted": false, + "description": "Object describing a section of a Portable Executable", + "distribution": 5, + "event_id": "3636", + "id": "18211", + "meta_category": "file", + "name": "pe-section", + "sharing_group_id": "0", + "template_uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a", + "template_version": "3", + "timestamp": "2021-05-28T11:19:40.000Z", + "uuid": "023be568-34d6-4df4-ae88-f4de0dbfcd9d" + }, + "orgc": { + "id": "1", + "local": true, + "name": "ORGNAME", + "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" + } + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "provider": "misp", + "scanner_stats": 0 + } + }, + "user": { + "email": "admin@admin.test", + "roles": [ + "reporting_user" + ] + } + }, + { + "@timestamp": "2021-05-28T11:19:41.000Z", + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Artifacts dropped\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"266277\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1622200249\",\"to_ids\":false,\"type\":\"windows-service-name\",\"uuid\":\"3bd56a61-77f0-4885-8d1c-8bd2e39b65fb\",\"value\":\"badmojopipe\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Other\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":true,\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"266285\",\"last_seen\":null,\"object_id\":\"18211\",\"object_relation\":\"entropy\",\"sharing_group_id\":\"0\",\"timestamp\":\"1622200780\",\"to_ids\":false,\"type\":\"float\",\"uuid\":\"a85c0cbb-25a8-4bc9-b146-3cba1020e5bb\",\"value\":\"7.93280431051\"},\"ObjectReference\":[],\"comment\":\"\",\"deleted\":false,\"description\":\"Object describing a section of a Portable Executable\",\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"18211\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"pe-section\",\"sharing_group_id\":\"0\",\"template_uuid\":\"198a17d2-a135-4b25-9a32-5aa4e632014a\",\"template_version\":\"3\",\"timestamp\":\"1622200780\",\"uuid\":\"023be568-34d6-4df4-ae88-f4de0dbfcd9d\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"9\",\"date\":\"2021-05-28\",\"disable_correlation\":false,\"distribution\":\"0\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3636\",\"info\":\"Test event 6 with multiple objects and multiple attributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1622200781\",\"uuid\":\"81aea1d1-bb23-4bcd-9b0c-496e9ce028df\"}}", + "type": [ + "indicator" + ] + }, + "misp": { + "attribute": { + "category": "Other", + "comment": "", + "deleted": false, + "disable_correlation": true, + "distribution": 5, + "event_id": "3636", + "id": "266285", + "object_id": "18211", + "object_relation": "entropy", + "sharing_group_id": "0", + "timestamp": "2021-05-28T11:19:40.000Z", + "to_ids": false, + "type": "float", + "uuid": "a85c0cbb-25a8-4bc9-b146-3cba1020e5bb", + "value": "7.93280431051" + }, + "context": { + "attribute": { + "category": "Artifacts dropped", + "comment": "", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "3636", + "id": "266277", + "object_id": "0", + "sharing_group_id": "0", + "timestamp": "2021-05-28T11:10:49.000Z", + "to_ids": false, + "type": "windows-service-name", + "uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", + "value": "badmojopipe" + } + }, + "event": { + "attribute_count": 9, + "date": "2021-05-28", + "disable_correlation": false, + "distribution": 0, + "extends_uuid": "", + "id": "3636", + "info": "Test event 6 with multiple objects and multiple attributes", + "locked": false, + "org_id": "1", + "orgc_id": "1", + "proposal_email_lock": false, + "publish_timestamp": "1970-01-01T00:00:00.000Z", + "published": false, + "sharing_group_id": "0", + "threat_level_id": 1, + "uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df" + }, + "object": { + "comment": "", + "deleted": false, + "description": "Object describing a section of a Portable Executable", + "distribution": 5, + "event_id": "3636", + "id": "18211", + "meta_category": "file", + "name": "pe-section", + "sharing_group_id": "0", + "template_uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a", + "template_version": "3", + "timestamp": "2021-05-28T11:19:40.000Z", + "uuid": "023be568-34d6-4df4-ae88-f4de0dbfcd9d" + }, + "orgc": { + "id": "1", + "local": true, + "name": "ORGNAME", + "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" + } + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "provider": "misp", + "scanner_stats": 0 + } + }, + "user": { + "email": "admin@admin.test", + "roles": [ + "reporting_user" + ] + } + }, + { + "@timestamp": "2021-05-28T11:19:41.000Z", + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Artifacts dropped\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"266277\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1622200249\",\"to_ids\":false,\"type\":\"windows-service-name\",\"uuid\":\"3bd56a61-77f0-4885-8d1c-8bd2e39b65fb\",\"value\":\"badmojopipe\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Payload delivery\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"266279\",\"last_seen\":null,\"object_id\":\"18210\",\"object_relation\":\"md5\",\"sharing_group_id\":\"0\",\"timestamp\":\"1622200348\",\"to_ids\":true,\"type\":\"md5\",\"uuid\":\"1c97c043-5de2-41a1-b591-3237174cd290\",\"value\":\"7392463caf95534d56460bc9f360adc1\"},\"ObjectReference\":[],\"comment\":\"\",\"deleted\":false,\"description\":\"File object describing a file with meta-information\",\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"18210\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"file\",\"sharing_group_id\":\"0\",\"template_uuid\":\"688c46fb-5edb-40a3-8273-1af7923e2215\",\"template_version\":\"22\",\"timestamp\":\"1622200348\",\"uuid\":\"afe43d99-d8b6-47fa-8e7b-3d3ece2f8366\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"9\",\"date\":\"2021-05-28\",\"disable_correlation\":false,\"distribution\":\"0\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3636\",\"info\":\"Test event 6 with multiple objects and multiple attributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1622200781\",\"uuid\":\"81aea1d1-bb23-4bcd-9b0c-496e9ce028df\"}}", + "type": [ + "indicator" + ] + }, + "misp": { + "attribute": { + "category": "Payload delivery", + "comment": "", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "3636", + "id": "266279", + "object_id": "18210", + "object_relation": "md5", + "sharing_group_id": "0", + "timestamp": "2021-05-28T11:12:28.000Z", + "to_ids": true, + "type": "md5", + "uuid": "1c97c043-5de2-41a1-b591-3237174cd290" + }, + "context": { + "attribute": { + "category": "Artifacts dropped", + "comment": "", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "3636", + "id": "266277", + "object_id": "0", + "sharing_group_id": "0", + "timestamp": "2021-05-28T11:10:49.000Z", + "to_ids": false, + "type": "windows-service-name", + "uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", + "value": "badmojopipe" + } + }, + "event": { + "attribute_count": 9, + "date": "2021-05-28", + "disable_correlation": false, + "distribution": 0, + "extends_uuid": "", + "id": "3636", + "info": "Test event 6 with multiple objects and multiple attributes", + "locked": false, + "org_id": "1", + "orgc_id": "1", + "proposal_email_lock": false, + "publish_timestamp": "1970-01-01T00:00:00.000Z", + "published": false, + "sharing_group_id": "0", + "threat_level_id": 1, + "uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df" + }, + "object": { + "comment": "", + "deleted": false, + "description": "File object describing a file with meta-information", + "distribution": 5, + "event_id": "3636", + "id": "18210", + "meta_category": "file", + "name": "file", + "sharing_group_id": "0", + "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", + "template_version": "22", + "timestamp": "2021-05-28T11:12:28.000Z", + "uuid": "afe43d99-d8b6-47fa-8e7b-3d3ece2f8366" + }, + "orgc": { + "id": "1", + "local": true, + "name": "ORGNAME", + "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" + } + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "file": { + "hash": { + "md5": "7392463caf95534d56460bc9f360adc1" + } + }, + "provider": "misp", + "scanner_stats": 0, + "type": "file" + } + }, + "user": { + "email": "admin@admin.test", + "roles": [ + "reporting_user" + ] + } + }, + { + "@timestamp": "2021-05-28T11:19:41.000Z", + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Artifacts dropped\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"266277\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1622200249\",\"to_ids\":false,\"type\":\"windows-service-name\",\"uuid\":\"3bd56a61-77f0-4885-8d1c-8bd2e39b65fb\",\"value\":\"badmojopipe\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Payload delivery\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"266282\",\"last_seen\":null,\"object_id\":\"18211\",\"object_relation\":\"md5\",\"sharing_group_id\":\"0\",\"timestamp\":\"1622200780\",\"to_ids\":true,\"type\":\"md5\",\"uuid\":\"f3b8696e-5390-4383-ace2-6e06bfae497d\",\"value\":\"7295463caf95534d56460bc9f360adc1\"},\"ObjectReference\":[],\"comment\":\"\",\"deleted\":false,\"description\":\"Object describing a section of a Portable Executable\",\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"18211\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"pe-section\",\"sharing_group_id\":\"0\",\"template_uuid\":\"198a17d2-a135-4b25-9a32-5aa4e632014a\",\"template_version\":\"3\",\"timestamp\":\"1622200780\",\"uuid\":\"023be568-34d6-4df4-ae88-f4de0dbfcd9d\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"9\",\"date\":\"2021-05-28\",\"disable_correlation\":false,\"distribution\":\"0\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3636\",\"info\":\"Test event 6 with multiple objects and multiple attributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1622200781\",\"uuid\":\"81aea1d1-bb23-4bcd-9b0c-496e9ce028df\"}}", + "type": [ + "indicator" + ] + }, + "misp": { + "attribute": { + "category": "Payload delivery", + "comment": "", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "3636", + "id": "266282", + "object_id": "18211", + "object_relation": "md5", + "sharing_group_id": "0", + "timestamp": "2021-05-28T11:19:40.000Z", + "to_ids": true, + "type": "md5", + "uuid": "f3b8696e-5390-4383-ace2-6e06bfae497d" + }, + "context": { + "attribute": { + "category": "Artifacts dropped", + "comment": "", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "3636", + "id": "266277", + "object_id": "0", + "sharing_group_id": "0", + "timestamp": "2021-05-28T11:10:49.000Z", + "to_ids": false, + "type": "windows-service-name", + "uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", + "value": "badmojopipe" + } + }, + "event": { + "attribute_count": 9, + "date": "2021-05-28", + "disable_correlation": false, + "distribution": 0, + "extends_uuid": "", + "id": "3636", + "info": "Test event 6 with multiple objects and multiple attributes", + "locked": false, + "org_id": "1", + "orgc_id": "1", + "proposal_email_lock": false, + "publish_timestamp": "1970-01-01T00:00:00.000Z", + "published": false, + "sharing_group_id": "0", + "threat_level_id": 1, + "uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df" + }, + "object": { + "comment": "", + "deleted": false, + "description": "Object describing a section of a Portable Executable", + "distribution": 5, + "event_id": "3636", + "id": "18211", + "meta_category": "file", + "name": "pe-section", + "sharing_group_id": "0", + "template_uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a", + "template_version": "3", + "timestamp": "2021-05-28T11:19:40.000Z", + "uuid": "023be568-34d6-4df4-ae88-f4de0dbfcd9d" + }, + "orgc": { + "id": "1", + "local": true, + "name": "ORGNAME", + "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" + } + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "file": { + "hash": { + "md5": "7295463caf95534d56460bc9f360adc1" + } + }, + "provider": "misp", + "scanner_stats": 0, + "type": "file" + } + }, + "user": { + "email": "admin@admin.test", + "roles": [ + "reporting_user" + ] + } + }, + { + "@timestamp": "2021-05-28T11:19:41.000Z", + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Artifacts dropped\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"266277\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1622200249\",\"to_ids\":false,\"type\":\"windows-service-name\",\"uuid\":\"3bd56a61-77f0-4885-8d1c-8bd2e39b65fb\",\"value\":\"badmojopipe\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Payload delivery\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":true,\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"266280\",\"last_seen\":null,\"object_id\":\"18210\",\"object_relation\":\"filename\",\"sharing_group_id\":\"0\",\"timestamp\":\"1622200348\",\"to_ids\":true,\"type\":\"filename\",\"uuid\":\"2dfcb937-e6af-4b5d-ad50-f8eb975990f3\",\"value\":\"badmojopipe.exe\"},\"ObjectReference\":[],\"comment\":\"\",\"deleted\":false,\"description\":\"File object describing a file with meta-information\",\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"18210\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"file\",\"sharing_group_id\":\"0\",\"template_uuid\":\"688c46fb-5edb-40a3-8273-1af7923e2215\",\"template_version\":\"22\",\"timestamp\":\"1622200348\",\"uuid\":\"afe43d99-d8b6-47fa-8e7b-3d3ece2f8366\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"9\",\"date\":\"2021-05-28\",\"disable_correlation\":false,\"distribution\":\"0\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3636\",\"info\":\"Test event 6 with multiple objects and multiple attributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1622200781\",\"uuid\":\"81aea1d1-bb23-4bcd-9b0c-496e9ce028df\"}}", + "type": [ + "indicator" + ] + }, + "misp": { + "attribute": { + "category": "Payload delivery", + "comment": "", + "deleted": false, + "disable_correlation": true, + "distribution": 5, + "event_id": "3636", + "id": "266280", + "object_id": "18210", + "object_relation": "filename", + "sharing_group_id": "0", + "timestamp": "2021-05-28T11:12:28.000Z", + "to_ids": true, + "type": "filename", + "uuid": "2dfcb937-e6af-4b5d-ad50-f8eb975990f3" + }, + "context": { + "attribute": { + "category": "Artifacts dropped", + "comment": "", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "3636", + "id": "266277", + "object_id": "0", + "sharing_group_id": "0", + "timestamp": "2021-05-28T11:10:49.000Z", + "to_ids": false, + "type": "windows-service-name", + "uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", + "value": "badmojopipe" + } + }, + "event": { + "attribute_count": 9, + "date": "2021-05-28", + "disable_correlation": false, + "distribution": 0, + "extends_uuid": "", + "id": "3636", + "info": "Test event 6 with multiple objects and multiple attributes", + "locked": false, + "org_id": "1", + "orgc_id": "1", + "proposal_email_lock": false, + "publish_timestamp": "1970-01-01T00:00:00.000Z", + "published": false, + "sharing_group_id": "0", + "threat_level_id": 1, + "uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df" + }, + "object": { + "comment": "", + "deleted": false, + "description": "File object describing a file with meta-information", + "distribution": 5, + "event_id": "3636", + "id": "18210", + "meta_category": "file", + "name": "file", + "sharing_group_id": "0", + "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", + "template_version": "22", + "timestamp": "2021-05-28T11:12:28.000Z", + "uuid": "afe43d99-d8b6-47fa-8e7b-3d3ece2f8366" + }, + "orgc": { + "id": "1", + "local": true, + "name": "ORGNAME", + "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" + } + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "file": { + "name": "badmojopipe.exe" + }, + "provider": "misp", + "scanner_stats": 0, + "type": "file" + } + }, + "user": { + "email": "admin@admin.test", + "roles": [ + "reporting_user" + ] + } + } + ] +} \ No newline at end of file diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-long-ndjson.log b/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-long-ndjson.log new file mode 100644 index 0000000000..ceb5f41cfb --- /dev/null +++ b/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-long-ndjson.log @@ -0,0 +1,2 @@ +{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Artifacts dropped","comment":"","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3636","first_seen":null,"id":"266277","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1622200249","to_ids":false,"type":"windows-service-name","uuid":"3bd56a61-77f0-4885-8d1c-8bd2e39b65fb","value":"badmojopipe"},"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Other","comment":"","deleted":false,"disable_correlation":true,"distribution":"5","event_id":"3636","first_seen":null,"id":"266285","last_seen":null,"object_id":"18211","object_relation":"entropy","sharing_group_id":"0","timestamp":"1622200780","to_ids":false,"type":"float","uuid":"a85c0cbb-25a8-4bc9-b146-3cba1020e5bb","value":"7.93280431051"},"ObjectReference":[],"comment":"","deleted":false,"description":"Object describing a section of a Portable Executable","distribution":"5","event_id":"3636","first_seen":null,"id":"18211","last_seen":null,"meta-category":"file","name":"pe-section","sharing_group_id":"0","template_uuid":"198a17d2-a135-4b25-9a32-5aa4e632014a","template_version":"3","timestamp":"1622200780","uuid":"023be568-34d6-4df4-ae88-f4de0dbfcd9d"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[],"ShadowAttribute":[],"analysis":"0","attribute_count":"9","date":"2021-05-28","disable_correlation":false,"distribution":"0","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3636","info":"Test event 6 with multiple objects and multiple attributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1622200781","uuid":"81aea1d1-bb23-4bcd-9b0c-496e9ce028df"}} +{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Artifacts dropped","comment":"","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3636","first_seen":null,"id":"266277","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1622200249","to_ids":false,"type":"windows-service-name","uuid":"3bd56a61-77f0-4885-8d1c-8bd2e39b65fb","value":"badmojopipe"},"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Payload delivery","comment":"","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3636","first_seen":null,"id":"266279","last_seen":null,"object_id":"18210","object_relation":"md5","sharing_group_id":"0","timestamp":"1622200348","to_ids":true,"type":"md5","uuid":"1c97c043-5de2-41a1-b591-3237174cd290","value":"7392463caf95534d56460bc9f360adc1"},"ObjectReference":[],"comment":"","deleted":false,"description":"File object describing a file with meta-information","distribution":"5","event_id":"3636","first_seen":null,"id":"18210","last_seen":null,"meta-category":"file","name":"file","sharing_group_id":"0","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"22","timestamp":"1622200348","uuid":"afe43d99-d8b6-47fa-8e7b-3d3ece2f8366"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[],"ShadowAttribute":[],"analysis":"0","attribute_count":"9","date":"2021-05-28","disable_correlation":false,"distribution":"0","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3636","info":"Test event 6 with multiple objects and multiple attributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1622200781","uuid":"81aea1d1-bb23-4bcd-9b0c-496e9ce028df"}} diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-long-ndjson.log-config.yml b/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-long-ndjson.log-config.yml new file mode 100644 index 0000000000..c41ee36923 --- /dev/null +++ b/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-long-ndjson.log-config.yml @@ -0,0 +1,2 @@ +fields: + tags: ~ diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-long-ndjson.log-expected.json b/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-long-ndjson.log-expected.json new file mode 100644 index 0000000000..407efc0fbe --- /dev/null +++ b/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-long-ndjson.log-expected.json @@ -0,0 +1,221 @@ +{ + "expected": [ + { + "@timestamp": "2021-05-28T11:19:41.000Z", + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "type": [ + "indicator" + ] + }, + "misp": { + "attribute": { + "category": "Other", + "comment": "", + "deleted": false, + "disable_correlation": true, + "distribution": 5, + "event_id": "3636", + "id": "266285", + "object_id": "18211", + "object_relation": "entropy", + "sharing_group_id": "0", + "timestamp": "2021-05-28T11:19:40.000Z", + "to_ids": false, + "type": "float", + "uuid": "a85c0cbb-25a8-4bc9-b146-3cba1020e5bb", + "value": "7.93280431051" + }, + "context": { + "attribute": { + "category": "Artifacts dropped", + "comment": "", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "3636", + "id": "266277", + "object_id": "0", + "sharing_group_id": "0", + "timestamp": "2021-05-28T11:10:49.000Z", + "to_ids": false, + "type": "windows-service-name", + "uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", + "value": "badmojopipe" + } + }, + "event": { + "attribute_count": 9, + "date": "2021-05-28", + "disable_correlation": false, + "distribution": 0, + "extends_uuid": "", + "id": "3636", + "info": "Test event 6 with multiple objects and multiple attributes", + "locked": false, + "org_id": "1", + "orgc_id": "1", + "proposal_email_lock": false, + "publish_timestamp": "1970-01-01T00:00:00.000Z", + "published": false, + "sharing_group_id": "0", + "threat_level_id": 1, + "uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df" + }, + "object": { + "comment": "", + "deleted": false, + "description": "Object describing a section of a Portable Executable", + "distribution": 5, + "event_id": "3636", + "id": "18211", + "meta_category": "file", + "name": "pe-section", + "sharing_group_id": "0", + "template_uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a", + "template_version": "3", + "timestamp": "2021-05-28T11:19:40.000Z", + "uuid": "023be568-34d6-4df4-ae88-f4de0dbfcd9d" + }, + "orgc": { + "id": "1", + "local": true, + "name": "ORGNAME", + "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" + } + }, + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "provider": "misp", + "scanner_stats": 0 + } + }, + "user": { + "email": "admin@admin.test", + "roles": [ + "reporting_user" + ] + } + }, + { + "@timestamp": "2021-05-28T11:19:41.000Z", + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "type": [ + "indicator" + ] + }, + "misp": { + "attribute": { + "category": "Payload delivery", + "comment": "", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "3636", + "id": "266279", + "object_id": "18210", + "object_relation": "md5", + "sharing_group_id": "0", + "timestamp": "2021-05-28T11:12:28.000Z", + "to_ids": true, + "type": "md5", + "uuid": "1c97c043-5de2-41a1-b591-3237174cd290" + }, + "context": { + "attribute": { + "category": "Artifacts dropped", + "comment": "", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "3636", + "id": "266277", + "object_id": "0", + "sharing_group_id": "0", + "timestamp": "2021-05-28T11:10:49.000Z", + "to_ids": false, + "type": "windows-service-name", + "uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", + "value": "badmojopipe" + } + }, + "event": { + "attribute_count": 9, + "date": "2021-05-28", + "disable_correlation": false, + "distribution": 0, + "extends_uuid": "", + "id": "3636", + "info": "Test event 6 with multiple objects and multiple attributes", + "locked": false, + "org_id": "1", + "orgc_id": "1", + "proposal_email_lock": false, + "publish_timestamp": "1970-01-01T00:00:00.000Z", + "published": false, + "sharing_group_id": "0", + "threat_level_id": 1, + "uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df" + }, + "object": { + "comment": "", + "deleted": false, + "description": "File object describing a file with meta-information", + "distribution": 5, + "event_id": "3636", + "id": "18210", + "meta_category": "file", + "name": "file", + "sharing_group_id": "0", + "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", + "template_version": "22", + "timestamp": "2021-05-28T11:12:28.000Z", + "uuid": "afe43d99-d8b6-47fa-8e7b-3d3ece2f8366" + }, + "orgc": { + "id": "1", + "local": true, + "name": "ORGNAME", + "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" + } + }, + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "file": { + "hash": { + "md5": "7392463caf95534d56460bc9f360adc1" + } + }, + "provider": "misp", + "scanner_stats": 0, + "type": "file" + } + }, + "user": { + "email": "admin@admin.test", + "roles": [ + "reporting_user" + ] + } + } + ] +} \ No newline at end of file diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-sample-ndjson.log b/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-sample-ndjson.log new file mode 100644 index 0000000000..0641fb93f7 --- /dev/null +++ b/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-sample-ndjson.log @@ -0,0 +1,16 @@ +{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Payload delivery","comment":"- Xchecked via VT: a683494fc0d017fd3b4638f8b84caaaac145cc28bc211bd7361723368b4bb21e","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"5","first_seen":null,"id":"351","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1503930272","to_ids":true,"type":"md5","uuid":"59a427a0-f6f8-4178-9e7d-dfd702de0b81","value":"f2679bdabe46e10edc6352fff3c829bc"},"EventReport":[],"Galaxy":[{"GalaxyCluster":[{"authors":["https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml","http://pastebin.com/raw/GHgpWjar","MISP Project"],"collection_uuid":"10cf658b-5d32-4c4b-bb32-61760a640372","description":"It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. CrySiS \\u003e Dharma Note: ATTENTION! At the moment, your system is not protected. We can fix it and restore files. To restore the system write to this address: bitcoin143@india.com. CrySiS variant","galaxy_id":"43","id":"6619","local":false,"meta":{"date":["November 2016"],"encryption":["AES + RSA-512"],"extensions":[".dharma",".wallet",".zzzzz",".cmb",".id-BCBEF350.[paymentbtc@firemail.cc].cmb",".bip",".id-BCBEF350.[Beamsell@qq.com].bip",".boost",".[Darknes@420blaze.it].waifu",".brrr",".adobe",".tron",".AUDIT",".cccmn",".fire",".myjob",".[cyberwars@qq.com].war",".risk",".RISK",".bkpx",".[newsantaclaus@aol.com].santa"],"payment-method":["Bitcoin - Email"],"ransomnotes":["all your data has been locked us\\nYou want to return?\\nwrite email paymentbtc@firemail.cc","All your files have been encrypted!\\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail paymentbtc@firemail.cc\\nWrite this ID in the title of your message ACBFF130\\nIn case of no answer in 24 hours write us to theese e-mails:paymentbtc@firemail.cc\\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.\\nFree decryption as guarantee\\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\\nHow to obtain Bitcoins\\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.\\nhttps://localbitcoins.com/buy_bitcoins\\nAlso you can find other places to buy Bitcoins and beginners guide here:\\nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/\\nAttention!\\nDo not rename encrypted files.\\nDo not try to decrypt your data using third party software, it may cause permanent data loss.\\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.","All your files have been encrypted!\\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail Beamsell@qq.com\\nWrite this ID in the title of your message BCBEF350\\nIn case of no answer in 24 hours write us to theese e-mails:Beamsell@qq.com\\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. \\nFree decryption as guarantee\\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) \\nHow to obtain Bitcoins\\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. \\nhttps://localbitcoins.com/buy_bitcoins \\nAlso you can find other places to buy Bitcoins and beginners guide here: \\nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/ \\nAttention!\\nDo not rename encrypted files. \\nDo not try to decrypt your data using third party software, it may cause permanent data loss.\\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.","all your data has been locked us\\nYou want to return?\\nwrite email Beamsell@qq.com"],"ransomnotes-filenames":["README.txt","README.jpg","Info.hta","FILES ENCRYPTED.txt","INFO.hta"],"ransomnotes-refs":["https://www.bleepstatic.com/images/news/ransomware/d/dharma/cmb/hta-ransom-note.jpg","https://pbs.twimg.com/media/Dmof_FiXsAAAvTN.jpg","https://pbs.twimg.com/media/Dmof_FyXsAEJmgQ.jpg","https://pbs.twimg.com/media/DrWqLWzXgAc4SlG.jpg","https://pbs.twimg.com/media/DuEBIMBW0AANnGW.jpg"],"refs":["https://id-ransomware.blogspot.co.il/2016/11/dharma-ransomware.html","https://www.bleepingcomputer.com/news/security/kaspersky-releases-decryptor-for-the-dharma-ransomware/","https://www.bleepingcomputer.com/news/security/new-cmb-dharma-ransomware-variant-released/","https://www.bleepingcomputer.com/news/security/new-bip-dharma-ransomware-variant-released/","https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/","https://twitter.com/demonslay335/status/1049313390097813504","https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-september-14th-2018-kraken-dharma-and-matrix/","https://twitter.com/JakubKroustek/status/1038680437508501504","https://twitter.com/demonslay335/status/1059521042383814657","https://twitter.com/demonslay335/status/1059940414147489792","https://twitter.com/JakubKroustek/status/1060825783197933568","https://twitter.com/JakubKroustek/status/1064061275863425025","https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/","https://www.youtube.com/watch?v=qjoYtwLx2TI","https://twitter.com/GrujaRS/status/1072139616910757888"]},"source":"Various","tag_id":"23","tag_name":"misp-galaxy:ransomware=\"Dharma Ransomware\"","type":"ransomware","uuid":"2b365b2c-4a9a-4b66-804d-3b2d2814fe7b","value":"Dharma Ransomware","version":"86"}],"description":"Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml","icon":"btc","id":"43","name":"Ransomware","namespace":"misp","type":"ransomware","uuid":"3f44af2e-1480-4b6b-9aa8-f9bb21341078","version":"4"}],"Object":[],"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"982f7c55-684d-4eb9-8736-fb5f668b899d"},"Orgc":{"id":"2","local":false,"name":"CIRCL","uuid":"55f6ea5e-2c60-40e5-964f-47a8950d210f"},"RelatedEvent":[],"ShadowAttribute":[],"Tag":[{"colour":"#0088cc","exportable":true,"hide_tag":false,"id":"23","local":0,"name":"misp-galaxy:ransomware=\"Dharma Ransomware\"","numerical_value":null,"user_id":"0"},{"colour":"#004646","exportable":true,"hide_tag":false,"id":"21","local":0,"name":"type:OSINT","numerical_value":null,"user_id":"0"},{"colour":"#ffffff","exportable":true,"hide_tag":false,"id":"2","local":0,"name":"tlp:white","numerical_value":null,"user_id":"0"},{"colour":"#2c4f00","exportable":true,"hide_tag":false,"id":"24","local":0,"name":"malware_classification:malware-category=\"Ransomware\"","numerical_value":null,"user_id":"0"},{"colour":"#00223b","exportable":true,"hide_tag":false,"id":"3","local":0,"name":"osint:source-type=\"blog - post\"","numerical_value":null,"user_id":"0"}],"analysis":"2","attribute_count":"7","date":"2017-08-25","disable_correlation":false,"distribution":"3","extends_uuid":"","id":"5","info":"OSINT - New Arena Crysis Ransomware Variant Released","locked":false,"org_id":"1","orgc_id":"2","proposal_email_lock":false,"publish_timestamp":"1603226331","published":true,"sharing_group_id":"0","threat_level_id":"3","timestamp":"1503930276","uuid":"59a3d08d-5dc8-4153-bc7c-456d950d210f"}} +{"Event":{"Attribute":{"id":"10794","type":"domain|ip","category":"Network activity","to_ids":false,"uuid":"5bf30242-8ef4-4c52-a2d7-0b7b0a016219","event_id":"14","distribution":"5","timestamp":"1542652482","comment":"1st stage","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"your-ip.getmyip.com|89.160.20.156","Galaxy":[],"ShadowAttribute":[]},"EventReport":[],"Galaxy":[{"GalaxyCluster":[{"authors":["https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml","http://pastebin.com/raw/GHgpWjar","MISP Project"],"collection_uuid":"10cf658b-5d32-4c4b-bb32-61760a640372","description":"It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. CrySiS \\u003e Dharma Note: ATTENTION! At the moment, your system is not protected. We can fix it and restore files. To restore the system write to this address: bitcoin143@india.com. CrySiS variant","galaxy_id":"43","id":"6619","local":false,"meta":{"date":["November 2016"],"encryption":["AES + RSA-512"],"extensions":[".dharma",".wallet",".zzzzz",".cmb",".id-BCBEF350.[paymentbtc@firemail.cc].cmb",".bip",".id-BCBEF350.[Beamsell@qq.com].bip",".boost",".[Darknes@420blaze.it].waifu",".brrr",".adobe",".tron",".AUDIT",".cccmn",".fire",".myjob",".[cyberwars@qq.com].war",".risk",".RISK",".bkpx",".[newsantaclaus@aol.com].santa"],"payment-method":["Bitcoin - Email"],"ransomnotes":["all your data has been locked us\\nYou want to return?\\nwrite email paymentbtc@firemail.cc","All your files have been encrypted!\\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail paymentbtc@firemail.cc\\nWrite this ID in the title of your message ACBFF130\\nIn case of no answer in 24 hours write us to theese e-mails:paymentbtc@firemail.cc\\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.\\nFree decryption as guarantee\\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\\nHow to obtain Bitcoins\\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.\\nhttps://localbitcoins.com/buy_bitcoins\\nAlso you can find other places to buy Bitcoins and beginners guide here:\\nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/\\nAttention!\\nDo not rename encrypted files.\\nDo not try to decrypt your data using third party software, it may cause permanent data loss.\\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.","All your files have been encrypted!\\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail Beamsell@qq.com\\nWrite this ID in the title of your message BCBEF350\\nIn case of no answer in 24 hours write us to theese e-mails:Beamsell@qq.com\\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. \\nFree decryption as guarantee\\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) \\nHow to obtain Bitcoins\\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. \\nhttps://localbitcoins.com/buy_bitcoins \\nAlso you can find other places to buy Bitcoins and beginners guide here: \\nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/ \\nAttention!\\nDo not rename encrypted files. \\nDo not try to decrypt your data using third party software, it may cause permanent data loss.\\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.","all your data has been locked us\\nYou want to return?\\nwrite email Beamsell@qq.com"],"ransomnotes-filenames":["README.txt","README.jpg","Info.hta","FILES ENCRYPTED.txt","INFO.hta"],"ransomnotes-refs":["https://www.bleepstatic.com/images/news/ransomware/d/dharma/cmb/hta-ransom-note.jpg","https://pbs.twimg.com/media/Dmof_FiXsAAAvTN.jpg","https://pbs.twimg.com/media/Dmof_FyXsAEJmgQ.jpg","https://pbs.twimg.com/media/DrWqLWzXgAc4SlG.jpg","https://pbs.twimg.com/media/DuEBIMBW0AANnGW.jpg"],"refs":["https://id-ransomware.blogspot.co.il/2016/11/dharma-ransomware.html","https://www.bleepingcomputer.com/news/security/kaspersky-releases-decryptor-for-the-dharma-ransomware/","https://www.bleepingcomputer.com/news/security/new-cmb-dharma-ransomware-variant-released/","https://www.bleepingcomputer.com/news/security/new-bip-dharma-ransomware-variant-released/","https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/","https://twitter.com/demonslay335/status/1049313390097813504","https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-september-14th-2018-kraken-dharma-and-matrix/","https://twitter.com/JakubKroustek/status/1038680437508501504","https://twitter.com/demonslay335/status/1059521042383814657","https://twitter.com/demonslay335/status/1059940414147489792","https://twitter.com/JakubKroustek/status/1060825783197933568","https://twitter.com/JakubKroustek/status/1064061275863425025","https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/","https://www.youtube.com/watch?v=qjoYtwLx2TI","https://twitter.com/GrujaRS/status/1072139616910757888"]},"source":"Various","tag_id":"23","tag_name":"misp-galaxy:ransomware=\"Dharma Ransomware\"","type":"ransomware","uuid":"2b365b2c-4a9a-4b66-804d-3b2d2814fe7b","value":"Dharma Ransomware","version":"86"}],"description":"Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml","icon":"btc","id":"43","name":"Ransomware","namespace":"misp","type":"ransomware","uuid":"3f44af2e-1480-4b6b-9aa8-f9bb21341078","version":"4"}],"Object":[],"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"982f7c55-684d-4eb9-8736-fb5f668b899d"},"Orgc":{"id":"2","local":false,"name":"CIRCL","uuid":"55f6ea5e-2c60-40e5-964f-47a8950d210f"},"RelatedEvent":[],"ShadowAttribute":[],"Tag":[{"colour":"#0088cc","exportable":true,"hide_tag":false,"id":"23","local":0,"name":"misp-galaxy:ransomware=\"Dharma Ransomware\"","numerical_value":null,"user_id":"0"},{"colour":"#004646","exportable":true,"hide_tag":false,"id":"21","local":0,"name":"type:OSINT","numerical_value":null,"user_id":"0"},{"colour":"#ffffff","exportable":true,"hide_tag":false,"id":"2","local":0,"name":"tlp:white","numerical_value":null,"user_id":"0"},{"colour":"#2c4f00","exportable":true,"hide_tag":false,"id":"24","local":0,"name":"malware_classification:malware-category=\"Ransomware\"","numerical_value":null,"user_id":"0"},{"colour":"#00223b","exportable":true,"hide_tag":false,"id":"3","local":0,"name":"osint:source-type=\"blog - post\"","numerical_value":null,"user_id":"0"}],"analysis":"2","attribute_count":"7","date":"2017-08-25","disable_correlation":false,"distribution":"3","extends_uuid":"","id":"5","info":"OSINT - New Arena Crysis Ransomware Variant Released","locked":false,"org_id":"1","orgc_id":"2","proposal_email_lock":false,"publish_timestamp":"1603226331","published":true,"sharing_group_id":"0","threat_level_id":"3","timestamp":"1503930276","uuid":"59a3d08d-5dc8-4153-bc7c-456d950d210f"}} +{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"External analysis","comment":"Carbon sample - Xchecked via VT: a08b8371ead1919500a4759c2f46553620d5a9d9","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"4","first_seen":null,"id":"342","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1490878550","to_ids":false,"type":"link","uuid":"58dd0056-6e74-43d5-b58b-494802de0b81","value":"https://www.virustotal.com/file/7fa4482bfbca550ce296d8e791b1091d60d733ea8042167fd0eb853530584452/analysis/1486030116/"},"EventReport":[],"Galaxy":[{"GalaxyCluster":[{"authors":["Alexandre Dulaunoy","Florian Roth","Timo Steffens","Christophe Vandeplas","Dennis Rand","raw-data"],"collection_uuid":"0d821b68-9d82-4c6d-86a6-1071a9e0f79f","description":"Family of related sophisticated backdoor software - Name comes from Microsoft detection signature – anagram of Ultra (Ultra3) was a name of the fake driver). A macOS version exists but appears incomplete and lacking features...for now!","galaxy_id":"36","id":"5828","local":false,"meta":{"refs":["https://www.first.org/resources/papers/tbilisi2014/turla-operations_and_development.pdf","https://objective-see.com/blog/blog_0x25.html#Snake"],"synonyms":["Snake","Uroburos","Urouros"],"type":["Backdoor","Rootkit"]},"source":"MISP Project","tag_id":"22","tag_name":"misp-galaxy:tool=\"Turla\"","type":"tool","uuid":"22332d52-c0c2-443c-9ffb-f08c0d23722c","value":"Turla","version":"138"}],"description":"Threat actors tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.","icon":"optin-monster","id":"36","name":"Tool","namespace":"misp","type":"tool","uuid":"9b8037f7-bc8f-4de1-a797-37266619bc0b","version":"3"}],"Object":[],"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"982f7c55-684d-4eb9-8736-fb5f668b899d"},"Orgc":{"id":"2","local":false,"name":"CIRCL","uuid":"55f6ea5e-2c60-40e5-964f-47a8950d210f"},"RelatedEvent":[{"Event":{"Org":{"id":"1","name":"ORGNAME","uuid":"982f7c55-684d-4eb9-8736-fb5f668b899d"},"Orgc":{"id":"4","name":"CthulhuSPRL.be","uuid":"55f6ea5f-fd34-43b8-ac1d-40cb950d210f"},"analysis":"2","date":"2015-01-20","distribution":"3","id":"369","info":"OSINT Analysis of Project Cobra Another extensible framework used by the Uroburos’ actors from Gdata","org_id":"1","orgc_id":"4","published":true,"threat_level_id":"1","timestamp":"1498163317","uuid":"54bf5a6f-ac50-4f71-9cd3-7080950d210b"}},{"Event":{"Org":{"id":"1","name":"ORGNAME","uuid":"982f7c55-684d-4eb9-8736-fb5f668b899d"},"Orgc":{"id":"4","name":"CthulhuSPRL.be","uuid":"55f6ea5f-fd34-43b8-ac1d-40cb950d210f"},"analysis":"2","date":"2014-11-20","distribution":"3","id":"621","info":"Turla digging using TotalHash","org_id":"1","orgc_id":"4","published":true,"threat_level_id":"2","timestamp":"1498163604","uuid":"546daad5-425c-4ac4-82c7-e07f950d210b"}}],"ShadowAttribute":[],"Tag":[{"colour":"#065100","exportable":true,"hide_tag":false,"id":"22","local":0,"name":"misp-galaxy:tool=\"Turla\"","numerical_value":null,"user_id":"0"},{"colour":"#ffffff","exportable":true,"hide_tag":false,"id":"2","local":0,"name":"tlp:white","numerical_value":null,"user_id":"0"}],"analysis":"2","attribute_count":"100","date":"2017-03-30","disable_correlation":false,"distribution":"3","extends_uuid":"","id":"4","info":"OSINT - Carbon Paper: Peering into Turla’s second stage backdoor","locked":false,"org_id":"1","orgc_id":"2","proposal_email_lock":false,"publish_timestamp":"1603226330","published":true,"sharing_group_id":"0","threat_level_id":"3","timestamp":"1493403824","uuid":"58dcfe62-ed84-4e5e-b293-4991950d210f"}} +{"Event":{"id":"2","orgc_id":"2","org_id":"1","date":"2014-10-03","threat_level_id":"2","info":"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks","published":true,"uuid":"54323f2c-e50c-4268-896c-4867950d210b","attribute_count":"29","analysis":"2","timestamp":"1412579577","distribution":"3","proposal_email_lock":false,"locked":false,"publish_timestamp":"1610622316","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5","local":true},"Orgc":{"id":"2","name":"CthulhuSPRL.be","uuid":"55f6ea5f-fd34-43b8-ac1d-40cb950d210f","local":false},"Attribute":{"id":"1077","type":"sha256","category":"External analysis","to_ids":true,"uuid":"54324042-49fc-4628-a95e-44da950d210b","event_id":"2","distribution":"5","timestamp":"1412579394","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"0a1103bc90725d4665b932f88e81d39eafa5823b0de3ab146e2d4548b7da79a0","Galaxy":[],"ShadowAttribute":[]},"ShadowAttribute":[],"RelatedEvent":[],"Galaxy":[],"Object":[],"EventReport":[],"Tag":[{"id":"1","name":"type:OSINT","colour":"#004646","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0},{"id":"2","name":"tlp:green","colour":"#339900","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0}]}} +{"Event":{"id":"2","orgc_id":"2","org_id":"1","date":"2014-10-03","threat_level_id":"2","info":"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks","published":true,"uuid":"54323f2c-e50c-4268-896c-4867950d210b","attribute_count":"29","analysis":"2","timestamp":"1412579577","distribution":"3","proposal_email_lock":false,"locked":false,"publish_timestamp":"1610622316","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5","local":true},"Orgc":{"id":"2","name":"CthulhuSPRL.be","uuid":"55f6ea5f-fd34-43b8-ac1d-40cb950d210f","local":false},"Attribute":{"id":"1084","type":"ip-dst","category":"Network activity","to_ids":true,"uuid":"54324081-3308-4f1f-8674-4953950d210b","event_id":"2","distribution":"5","timestamp":"1412579457","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"89.160.20.156","Galaxy":[],"ShadowAttribute":[]},"ShadowAttribute":[],"RelatedEvent":[],"Galaxy":[],"Object":[],"EventReport":[],"Tag":[{"id":"1","name":"type:OSINT","colour":"#004646","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0},{"id":"2","name":"tlp:green","colour":"#339900","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0}]}} +{"Event":{"id":"2","orgc_id":"2","org_id":"1","date":"2014-10-03","threat_level_id":"2","info":"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks","published":true,"uuid":"54323f2c-e50c-4268-896c-4867950d210b","attribute_count":"29","analysis":"2","timestamp":"1412579577","distribution":"3","proposal_email_lock":false,"locked":false,"publish_timestamp":"1610622316","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5","local":true},"Orgc":{"id":"2","name":"CthulhuSPRL.be","uuid":"55f6ea5f-fd34-43b8-ac1d-40cb950d210f","local":false},"Attribute":{"id":"1086","type":"hostname","category":"Network activity","to_ids":true,"uuid":"543240dc-f068-437a-baa9-48f2950d210b","event_id":"2","distribution":"5","timestamp":"1412579548","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"xenserver.ddns.net","Galaxy":[],"ShadowAttribute":[]},"ShadowAttribute":[],"RelatedEvent":[],"Galaxy":[],"Object":[],"EventReport":[],"Tag":[{"id":"1","name":"type:OSINT","colour":"#004646","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0},{"id":"2","name":"tlp:green","colour":"#339900","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0}]}} +{"Event":{"id":"2","orgc_id":"2","org_id":"1","date":"2014-10-03","threat_level_id":"2","info":"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks","published":true,"uuid":"54323f2c-e50c-4268-896c-4867950d210b","attribute_count":"29","analysis":"2","timestamp":"1412579577","distribution":"3","proposal_email_lock":false,"locked":false,"publish_timestamp":"1610622316","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5","local":true},"Orgc":{"id":"2","name":"CthulhuSPRL.be","uuid":"55f6ea5f-fd34-43b8-ac1d-40cb950d210f","local":false},"Attribute":{"id":"1089","type":"text","category":"External analysis","to_ids":false,"uuid":"543240f9-64e8-41f2-958f-4e21950d210b","event_id":"2","distribution":"5","timestamp":"1412579577","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"Nitro","Galaxy":[],"ShadowAttribute":[]},"ShadowAttribute":[],"RelatedEvent":[],"Galaxy":[],"Object":[],"EventReport":[],"Tag":[{"id":"1","name":"type:OSINT","colour":"#004646","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0},{"id":"2","name":"tlp:green","colour":"#339900","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0}]}} +{"Event":{"id":"2","orgc_id":"2","org_id":"1","date":"2014-10-03","threat_level_id":"2","info":"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks","published":true,"uuid":"54323f2c-e50c-4268-896c-4867950d210b","attribute_count":"29","analysis":"2","timestamp":"1412579577","distribution":"3","proposal_email_lock":false,"locked":false,"publish_timestamp":"1610622316","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5","local":true},"Orgc":{"id":"2","name":"CthulhuSPRL.be","uuid":"55f6ea5f-fd34-43b8-ac1d-40cb950d210f","local":false},"Attribute":{"id":"1090","type":"sha1","category":"External analysis","to_ids":true,"uuid":"56c625a7-f31c-460c-9ea1-c652950d210f","event_id":"2","distribution":"5","timestamp":"1455826343","comment":"Automatically added (via 7915aabb2e66ff14841e4ef0fbff7486)","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"0ea76f1586c008932d90c991dfdd5042f3aac8ea","Galaxy":[],"ShadowAttribute":[]},"ShadowAttribute":[],"RelatedEvent":[],"Galaxy":[],"Object":[],"EventReport":[],"Tag":[{"id":"1","name":"type:OSINT","colour":"#004646","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0},{"id":"2","name":"tlp:green","colour":"#339900","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0}]}} +{"Event":{"id":"2","orgc_id":"2","org_id":"1","date":"2014-10-03","threat_level_id":"2","info":"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks","published":true,"uuid":"54323f2c-e50c-4268-896c-4867950d210b","attribute_count":"29","analysis":"2","timestamp":"1412579577","distribution":"3","proposal_email_lock":false,"locked":false,"publish_timestamp":"1610622316","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5","local":true},"Orgc":{"id":"2","name":"CthulhuSPRL.be","uuid":"55f6ea5f-fd34-43b8-ac1d-40cb950d210f","local":false},"Attribute":{"id":"12394","type":"domain","category":"Network activity","to_ids":false,"uuid":"572b4ab3-1af0-4d91-9cd5-07a1c0a8ab16","event_id":"22","distribution":"5","timestamp":"1462454963","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"whatsapp.com","Galaxy":[],"ShadowAttribute":[]},"ShadowAttribute":[],"RelatedEvent":[],"Galaxy":[],"Object":[],"EventReport":[],"Tag":[{"id":"1","name":"type:OSINT","colour":"#004646","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0},{"id":"2","name":"tlp:green","colour":"#339900","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0}]}} +{"Event":{"id":"158","orgc_id":"5","org_id":"1","date":"2018-01-08","threat_level_id":"1","info":"Turla: Mosquito Whitepaper","published":true,"uuid":"5a5395d1-40a0-45fc-b692-334a0a016219","attribute_count":"61","analysis":"0","timestamp":"1535462417","distribution":"3","proposal_email_lock":false,"locked":false,"publish_timestamp":"1610637953","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5","local":true},"Orgc":{"id":"5","name":"ESET","uuid":"55f6ea5e-51ac-4344-bc8c-4170950d210f","local":false},"Attribute":{"id":"17299","type":"url","category":"Network activity","to_ids":false,"uuid":"5a53976c-e7c8-480d-a68a-2fc50a016219","event_id":"158","distribution":"5","timestamp":"1515427692","comment":"Fake adobe URL","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"http://get.adobe.com/stats/AbfFcBebD/?q=","Galaxy":[],"ShadowAttribute":[]},"ShadowAttribute":[],"RelatedEvent":[{"Event":{"id":"58","date":"2018-08-17","threat_level_id":"1","info":"Turla Outlook White Paper","published":true,"uuid":"5b773e07-e694-458b-b99c-27f30a016219","analysis":"0","timestamp":"1535462383","distribution":"3","org_id":"1","orgc_id":"5","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5"},"Orgc":{"id":"5","name":"ESET","uuid":"55f6ea5e-51ac-4344-bc8c-4170950d210f"}}}],"Galaxy":[],"Object":[],"EventReport":[],"Tag":[{"id":"7","name":"misp-galaxy:threat-actor=\"Turla Group\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":true,"is_custom_galaxy":false,"local":0},{"id":"70","name":"Turla","colour":"#f20f53","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0},{"id":"3","name":"tlp:white","colour":"#ffffff","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0}]}} +{"Event":{"id":"158","orgc_id":"5","org_id":"1","date":"2018-01-08","threat_level_id":"1","info":"Turla: Mosquito Whitepaper","published":true,"uuid":"5a5395d1-40a0-45fc-b692-334a0a016219","attribute_count":"61","analysis":"0","timestamp":"1535462417","distribution":"3","proposal_email_lock":false,"locked":false,"publish_timestamp":"1610637953","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5","local":true},"Orgc":{"id":"5","name":"ESET","uuid":"55f6ea5e-51ac-4344-bc8c-4170950d210f","local":false},"Attribute":{"id":"17330","type":"uri","category":"Network activity","to_ids":false,"uuid":"5a539ce1-3de0-4e34-8fc4-2fc50a016219","event_id":"158","distribution":"5","timestamp":"1515429089","comment":"Win32 backdoor C&C URI","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"/scripts/m/query.php?id=","Galaxy":[],"ShadowAttribute":[]},"ShadowAttribute":[],"RelatedEvent":[{"Event":{"id":"58","date":"2018-08-17","threat_level_id":"1","info":"Turla Outlook White Paper","published":true,"uuid":"5b773e07-e694-458b-b99c-27f30a016219","analysis":"0","timestamp":"1535462383","distribution":"3","org_id":"1","orgc_id":"5","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5"},"Orgc":{"id":"5","name":"ESET","uuid":"55f6ea5e-51ac-4344-bc8c-4170950d210f"}}}],"Galaxy":[],"Object":[],"EventReport":[],"Tag":[{"id":"7","name":"misp-galaxy:threat-actor=\"Turla Group\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":true,"is_custom_galaxy":false,"local":0},{"id":"70","name":"Turla","colour":"#f20f53","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0},{"id":"3","name":"tlp:white","colour":"#ffffff","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0}]}} +{"Event":{"id":"158","orgc_id":"5","org_id":"1","date":"2018-01-08","threat_level_id":"1","info":"Turla: Mosquito Whitepaper","published":true,"uuid":"5a5395d1-40a0-45fc-b692-334a0a016219","attribute_count":"61","analysis":"0","timestamp":"1535462417","distribution":"3","proposal_email_lock":false,"locked":false,"publish_timestamp":"1610637953","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5","local":true},"Orgc":{"id":"5","name":"ESET","uuid":"55f6ea5e-51ac-4344-bc8c-4170950d210f","local":false},"Attribute":{"id":"17322","type":"filename|sha1","category":"Artifacts dropped","to_ids":false,"uuid":"5a539ce1-e6a0-426a-942c-2fc50a016219","event_id":"158","distribution":"5","timestamp":"1515429089","comment":"JavaScript backdoor","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"google_update_checker.js|c51d288469df9f25e2fb7ac491918b3e579282ea","Galaxy":[],"ShadowAttribute":[]},"ShadowAttribute":[],"RelatedEvent":[{"Event":{"id":"58","date":"2018-08-17","threat_level_id":"1","info":"Turla Outlook White Paper","published":true,"uuid":"5b773e07-e694-458b-b99c-27f30a016219","analysis":"0","timestamp":"1535462383","distribution":"3","org_id":"1","orgc_id":"5","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5"},"Orgc":{"id":"5","name":"ESET","uuid":"55f6ea5e-51ac-4344-bc8c-4170950d210f"}}}],"Galaxy":[],"Object":[],"EventReport":[],"Tag":[{"id":"7","name":"misp-galaxy:threat-actor=\"Turla Group\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":true,"is_custom_galaxy":false,"local":0},{"id":"70","name":"Turla","colour":"#f20f53","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0},{"id":"3","name":"tlp:white","colour":"#ffffff","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0}]}} +{"Event":{"id":"22","orgc_id":"4","org_id":"1","date":"2015-12-08","threat_level_id":"3","info":"Packrat: Seven Years of a South American Threat Actor","published":true,"uuid":"56ccdcaf-f7e4-40d8-bca1-51299062e56a","attribute_count":"133","analysis":"2","timestamp":"1516723796","distribution":"3","proposal_email_lock":false,"locked":false,"publish_timestamp":"1610637901","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5","local":true},"Orgc":{"id":"4","name":"CUDESO","uuid":"56c42374-fdb8-4544-a218-41ffc0a8ab16","local":false},"Attribute":{"id":"12268","type":"email-src","category":"Payload delivery","to_ids":true,"uuid":"56ccdcb6-4d6c-4e48-b955-52849062e56a","event_id":"22","distribution":"5","timestamp":"1456266422","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"claudiobonadio88@gmail.com","Galaxy":[],"ShadowAttribute":[]},"ShadowAttribute":[],"RelatedEvent":[],"Galaxy":[],"Object":[],"EventReport":[],"Tag":[{"id":"3","name":"tlp:white","colour":"#ffffff","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0}]}} +{"Event":{"id":"22","orgc_id":"4","org_id":"1","date":"2015-12-08","threat_level_id":"3","info":"Packrat: Seven Years of a South American Threat Actor","published":true,"uuid":"56ccdcaf-f7e4-40d8-bca1-51299062e56a","attribute_count":"133","analysis":"2","timestamp":"1516723796","distribution":"3","proposal_email_lock":false,"locked":false,"publish_timestamp":"1610637901","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5","local":true},"Orgc":{"id":"4","name":"CUDESO","uuid":"56c42374-fdb8-4544-a218-41ffc0a8ab16","local":false},"Attribute":{"id":"12298","type":"regkey","category":"Artifacts dropped","to_ids":true,"uuid":"56ccdcd6-f4b8-4383-9624-52849062e56a","event_id":"22","distribution":"5","timestamp":"1456266454","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"HKLM\\SOFTWARE\\Microsoft\\Active","Galaxy":[],"ShadowAttribute":[]},"ShadowAttribute":[],"RelatedEvent":[],"Galaxy":[],"Object":[],"EventReport":[],"Tag":[{"id":"3","name":"tlp:white","colour":"#ffffff","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0}]}} +{"Event":{"id":"10","orgc_id":"4","org_id":"1","date":"2020-12-09","threat_level_id":"3","info":"Recent Qakbot (Qbot) activity","published":true,"uuid":"5fd0c599-ab6c-4ba1-a69a-df9ec0a8ab16","attribute_count":"15","analysis":"2","timestamp":"1607868196","distribution":"3","proposal_email_lock":false,"locked":false,"publish_timestamp":"1610637888","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5","local":true},"Orgc":{"id":"4","name":"CUDESO","uuid":"56c42374-fdb8-4544-a218-41ffc0a8ab16","local":false},"Attribute":{"id":"10686","type":"ip-dst|port","category":"Network activity","to_ids":true,"uuid":"5fd0c620-a844-4ace-9710-a37bc0a8ab16","event_id":"10","distribution":"5","timestamp":"1607517728","comment":"On port 2222","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"89.160.20.156|2222","Galaxy":[],"ShadowAttribute":[]},"ShadowAttribute":[],"RelatedEvent":[],"Galaxy":[],"Object":[],"EventReport":[],"Tag":[{"id":"3","name":"tlp:white","colour":"#ffffff","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0},{"id":"6","name":"misp-galaxy:banker=\"Qakbot\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":true,"is_custom_galaxy":false,"local":0}]}} +{"response":[]} diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-sample-ndjson.log-config.yml b/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-sample-ndjson.log-config.yml new file mode 100644 index 0000000000..4da2264165 --- /dev/null +++ b/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-sample-ndjson.log-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_original_event diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-sample-ndjson.log-expected.json b/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-sample-ndjson.log-expected.json new file mode 100644 index 0000000000..27fee944db --- /dev/null +++ b/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-sample-ndjson.log-expected.json @@ -0,0 +1,1222 @@ +{ + "expected": [ + { + "@timestamp": "2017-08-28T14:24:36.000Z", + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Payload delivery\",\"comment\":\"- Xchecked via VT: a683494fc0d017fd3b4638f8b84caaaac145cc28bc211bd7361723368b4bb21e\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"5\",\"first_seen\":null,\"id\":\"351\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1503930272\",\"to_ids\":true,\"type\":\"md5\",\"uuid\":\"59a427a0-f6f8-4178-9e7d-dfd702de0b81\",\"value\":\"f2679bdabe46e10edc6352fff3c829bc\"},\"EventReport\":[],\"Galaxy\":[{\"GalaxyCluster\":[{\"authors\":[\"https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml\",\"http://pastebin.com/raw/GHgpWjar\",\"MISP Project\"],\"collection_uuid\":\"10cf658b-5d32-4c4b-bb32-61760a640372\",\"description\":\"It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. CrySiS \\\\u003e Dharma Note: ATTENTION! At the moment, your system is not protected. We can fix it and restore files. To restore the system write to this address: bitcoin143@india.com. CrySiS variant\",\"galaxy_id\":\"43\",\"id\":\"6619\",\"local\":false,\"meta\":{\"date\":[\"November 2016\"],\"encryption\":[\"AES + RSA-512\"],\"extensions\":[\".dharma\",\".wallet\",\".zzzzz\",\".cmb\",\".id-BCBEF350.[paymentbtc@firemail.cc].cmb\",\".bip\",\".id-BCBEF350.[Beamsell@qq.com].bip\",\".boost\",\".[Darknes@420blaze.it].waifu\",\".brrr\",\".adobe\",\".tron\",\".AUDIT\",\".cccmn\",\".fire\",\".myjob\",\".[cyberwars@qq.com].war\",\".risk\",\".RISK\",\".bkpx\",\".[newsantaclaus@aol.com].santa\"],\"payment-method\":[\"Bitcoin - Email\"],\"ransomnotes\":[\"all your data has been locked us\\\\nYou want to return?\\\\nwrite email paymentbtc@firemail.cc\",\"All your files have been encrypted!\\\\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail paymentbtc@firemail.cc\\\\nWrite this ID in the title of your message ACBFF130\\\\nIn case of no answer in 24 hours write us to theese e-mails:paymentbtc@firemail.cc\\\\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.\\\\nFree decryption as guarantee\\\\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\\\\nHow to obtain Bitcoins\\\\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.\\\\nhttps://localbitcoins.com/buy_bitcoins\\\\nAlso you can find other places to buy Bitcoins and beginners guide here:\\\\nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/\\\\nAttention!\\\\nDo not rename encrypted files.\\\\nDo not try to decrypt your data using third party software, it may cause permanent data loss.\\\\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.\",\"All your files have been encrypted!\\\\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail Beamsell@qq.com\\\\nWrite this ID in the title of your message BCBEF350\\\\nIn case of no answer in 24 hours write us to theese e-mails:Beamsell@qq.com\\\\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. \\\\nFree decryption as guarantee\\\\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) \\\\nHow to obtain Bitcoins\\\\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. \\\\nhttps://localbitcoins.com/buy_bitcoins \\\\nAlso you can find other places to buy Bitcoins and beginners guide here: \\\\nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/ \\\\nAttention!\\\\nDo not rename encrypted files. \\\\nDo not try to decrypt your data using third party software, it may cause permanent data loss.\\\\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.\",\"all your data has been locked us\\\\nYou want to return?\\\\nwrite email Beamsell@qq.com\"],\"ransomnotes-filenames\":[\"README.txt\",\"README.jpg\",\"Info.hta\",\"FILES ENCRYPTED.txt\",\"INFO.hta\"],\"ransomnotes-refs\":[\"https://www.bleepstatic.com/images/news/ransomware/d/dharma/cmb/hta-ransom-note.jpg\",\"https://pbs.twimg.com/media/Dmof_FiXsAAAvTN.jpg\",\"https://pbs.twimg.com/media/Dmof_FyXsAEJmgQ.jpg\",\"https://pbs.twimg.com/media/DrWqLWzXgAc4SlG.jpg\",\"https://pbs.twimg.com/media/DuEBIMBW0AANnGW.jpg\"],\"refs\":[\"https://id-ransomware.blogspot.co.il/2016/11/dharma-ransomware.html\",\"https://www.bleepingcomputer.com/news/security/kaspersky-releases-decryptor-for-the-dharma-ransomware/\",\"https://www.bleepingcomputer.com/news/security/new-cmb-dharma-ransomware-variant-released/\",\"https://www.bleepingcomputer.com/news/security/new-bip-dharma-ransomware-variant-released/\",\"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/\",\"https://twitter.com/demonslay335/status/1049313390097813504\",\"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-september-14th-2018-kraken-dharma-and-matrix/\",\"https://twitter.com/JakubKroustek/status/1038680437508501504\",\"https://twitter.com/demonslay335/status/1059521042383814657\",\"https://twitter.com/demonslay335/status/1059940414147489792\",\"https://twitter.com/JakubKroustek/status/1060825783197933568\",\"https://twitter.com/JakubKroustek/status/1064061275863425025\",\"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/\",\"https://www.youtube.com/watch?v=qjoYtwLx2TI\",\"https://twitter.com/GrujaRS/status/1072139616910757888\"]},\"source\":\"Various\",\"tag_id\":\"23\",\"tag_name\":\"misp-galaxy:ransomware=\\\"Dharma Ransomware\\\"\",\"type\":\"ransomware\",\"uuid\":\"2b365b2c-4a9a-4b66-804d-3b2d2814fe7b\",\"value\":\"Dharma Ransomware\",\"version\":\"86\"}],\"description\":\"Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml\",\"icon\":\"btc\",\"id\":\"43\",\"name\":\"Ransomware\",\"namespace\":\"misp\",\"type\":\"ransomware\",\"uuid\":\"3f44af2e-1480-4b6b-9aa8-f9bb21341078\",\"version\":\"4\"}],\"Object\":[],\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"982f7c55-684d-4eb9-8736-fb5f668b899d\"},\"Orgc\":{\"id\":\"2\",\"local\":false,\"name\":\"CIRCL\",\"uuid\":\"55f6ea5e-2c60-40e5-964f-47a8950d210f\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"Tag\":[{\"colour\":\"#0088cc\",\"exportable\":true,\"hide_tag\":false,\"id\":\"23\",\"local\":0,\"name\":\"misp-galaxy:ransomware=\\\"Dharma Ransomware\\\"\",\"numerical_value\":null,\"user_id\":\"0\"},{\"colour\":\"#004646\",\"exportable\":true,\"hide_tag\":false,\"id\":\"21\",\"local\":0,\"name\":\"type:OSINT\",\"numerical_value\":null,\"user_id\":\"0\"},{\"colour\":\"#ffffff\",\"exportable\":true,\"hide_tag\":false,\"id\":\"2\",\"local\":0,\"name\":\"tlp:white\",\"numerical_value\":null,\"user_id\":\"0\"},{\"colour\":\"#2c4f00\",\"exportable\":true,\"hide_tag\":false,\"id\":\"24\",\"local\":0,\"name\":\"malware_classification:malware-category=\\\"Ransomware\\\"\",\"numerical_value\":null,\"user_id\":\"0\"},{\"colour\":\"#00223b\",\"exportable\":true,\"hide_tag\":false,\"id\":\"3\",\"local\":0,\"name\":\"osint:source-type=\\\"blog - post\\\"\",\"numerical_value\":null,\"user_id\":\"0\"}],\"analysis\":\"2\",\"attribute_count\":\"7\",\"date\":\"2017-08-25\",\"disable_correlation\":false,\"distribution\":\"3\",\"extends_uuid\":\"\",\"id\":\"5\",\"info\":\"OSINT - New Arena Crysis Ransomware Variant Released\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"2\",\"proposal_email_lock\":false,\"publish_timestamp\":\"1603226331\",\"published\":true,\"sharing_group_id\":\"0\",\"threat_level_id\":\"3\",\"timestamp\":\"1503930276\",\"uuid\":\"59a3d08d-5dc8-4153-bc7c-456d950d210f\"}}", + "type": [ + "indicator" + ] + }, + "misp": { + "attribute": { + "category": "Payload delivery", + "comment": "- Xchecked via VT: a683494fc0d017fd3b4638f8b84caaaac145cc28bc211bd7361723368b4bb21e", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "5", + "id": "351", + "object_id": "0", + "sharing_group_id": "0", + "timestamp": "2017-08-28T14:24:32.000Z", + "to_ids": true, + "type": "md5", + "uuid": "59a427a0-f6f8-4178-9e7d-dfd702de0b81" + }, + "event": { + "attribute_count": 7, + "date": "2017-08-25", + "disable_correlation": false, + "distribution": 3, + "extends_uuid": "", + "id": "5", + "info": "OSINT - New Arena Crysis Ransomware Variant Released", + "locked": false, + "org_id": "1", + "orgc_id": "2", + "proposal_email_lock": false, + "publish_timestamp": "2020-10-20T20:38:51.000Z", + "published": true, + "sharing_group_id": "0", + "threat_level_id": 3, + "uuid": "59a3d08d-5dc8-4153-bc7c-456d950d210f" + }, + "orgc": { + "id": "2", + "local": false, + "name": "CIRCL", + "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" + } + }, + "tags": [ + "preserve_original_event", + "misp-galaxy:ransomware=Dharma Ransomware", + "type:OSINT", + "tlp:white", + "malware_classification:malware-category=Ransomware", + "osint:source-type=blog - post" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "file": { + "hash": { + "md5": "f2679bdabe46e10edc6352fff3c829bc" + } + }, + "marking": { + "tlp": [ + "WHITE" + ] + }, + "provider": "misp", + "scanner_stats": 2, + "type": "file" + } + } + }, + { + "@timestamp": "2017-08-28T14:24:36.000Z", + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"Event\":{\"Attribute\":{\"id\":\"10794\",\"type\":\"domain|ip\",\"category\":\"Network activity\",\"to_ids\":false,\"uuid\":\"5bf30242-8ef4-4c52-a2d7-0b7b0a016219\",\"event_id\":\"14\",\"distribution\":\"5\",\"timestamp\":\"1542652482\",\"comment\":\"1st stage\",\"sharing_group_id\":\"0\",\"deleted\":false,\"disable_correlation\":false,\"object_id\":\"0\",\"object_relation\":null,\"first_seen\":null,\"last_seen\":null,\"value\":\"your-ip.getmyip.com|89.160.20.156\",\"Galaxy\":[],\"ShadowAttribute\":[]},\"EventReport\":[],\"Galaxy\":[{\"GalaxyCluster\":[{\"authors\":[\"https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml\",\"http://pastebin.com/raw/GHgpWjar\",\"MISP Project\"],\"collection_uuid\":\"10cf658b-5d32-4c4b-bb32-61760a640372\",\"description\":\"It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. CrySiS \\\\u003e Dharma Note: ATTENTION! At the moment, your system is not protected. We can fix it and restore files. To restore the system write to this address: bitcoin143@india.com. CrySiS variant\",\"galaxy_id\":\"43\",\"id\":\"6619\",\"local\":false,\"meta\":{\"date\":[\"November 2016\"],\"encryption\":[\"AES + RSA-512\"],\"extensions\":[\".dharma\",\".wallet\",\".zzzzz\",\".cmb\",\".id-BCBEF350.[paymentbtc@firemail.cc].cmb\",\".bip\",\".id-BCBEF350.[Beamsell@qq.com].bip\",\".boost\",\".[Darknes@420blaze.it].waifu\",\".brrr\",\".adobe\",\".tron\",\".AUDIT\",\".cccmn\",\".fire\",\".myjob\",\".[cyberwars@qq.com].war\",\".risk\",\".RISK\",\".bkpx\",\".[newsantaclaus@aol.com].santa\"],\"payment-method\":[\"Bitcoin - Email\"],\"ransomnotes\":[\"all your data has been locked us\\\\nYou want to return?\\\\nwrite email paymentbtc@firemail.cc\",\"All your files have been encrypted!\\\\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail paymentbtc@firemail.cc\\\\nWrite this ID in the title of your message ACBFF130\\\\nIn case of no answer in 24 hours write us to theese e-mails:paymentbtc@firemail.cc\\\\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.\\\\nFree decryption as guarantee\\\\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\\\\nHow to obtain Bitcoins\\\\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.\\\\nhttps://localbitcoins.com/buy_bitcoins\\\\nAlso you can find other places to buy Bitcoins and beginners guide here:\\\\nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/\\\\nAttention!\\\\nDo not rename encrypted files.\\\\nDo not try to decrypt your data using third party software, it may cause permanent data loss.\\\\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.\",\"All your files have been encrypted!\\\\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail Beamsell@qq.com\\\\nWrite this ID in the title of your message BCBEF350\\\\nIn case of no answer in 24 hours write us to theese e-mails:Beamsell@qq.com\\\\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. \\\\nFree decryption as guarantee\\\\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) \\\\nHow to obtain Bitcoins\\\\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. \\\\nhttps://localbitcoins.com/buy_bitcoins \\\\nAlso you can find other places to buy Bitcoins and beginners guide here: \\\\nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/ \\\\nAttention!\\\\nDo not rename encrypted files. \\\\nDo not try to decrypt your data using third party software, it may cause permanent data loss.\\\\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.\",\"all your data has been locked us\\\\nYou want to return?\\\\nwrite email Beamsell@qq.com\"],\"ransomnotes-filenames\":[\"README.txt\",\"README.jpg\",\"Info.hta\",\"FILES ENCRYPTED.txt\",\"INFO.hta\"],\"ransomnotes-refs\":[\"https://www.bleepstatic.com/images/news/ransomware/d/dharma/cmb/hta-ransom-note.jpg\",\"https://pbs.twimg.com/media/Dmof_FiXsAAAvTN.jpg\",\"https://pbs.twimg.com/media/Dmof_FyXsAEJmgQ.jpg\",\"https://pbs.twimg.com/media/DrWqLWzXgAc4SlG.jpg\",\"https://pbs.twimg.com/media/DuEBIMBW0AANnGW.jpg\"],\"refs\":[\"https://id-ransomware.blogspot.co.il/2016/11/dharma-ransomware.html\",\"https://www.bleepingcomputer.com/news/security/kaspersky-releases-decryptor-for-the-dharma-ransomware/\",\"https://www.bleepingcomputer.com/news/security/new-cmb-dharma-ransomware-variant-released/\",\"https://www.bleepingcomputer.com/news/security/new-bip-dharma-ransomware-variant-released/\",\"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/\",\"https://twitter.com/demonslay335/status/1049313390097813504\",\"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-september-14th-2018-kraken-dharma-and-matrix/\",\"https://twitter.com/JakubKroustek/status/1038680437508501504\",\"https://twitter.com/demonslay335/status/1059521042383814657\",\"https://twitter.com/demonslay335/status/1059940414147489792\",\"https://twitter.com/JakubKroustek/status/1060825783197933568\",\"https://twitter.com/JakubKroustek/status/1064061275863425025\",\"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/\",\"https://www.youtube.com/watch?v=qjoYtwLx2TI\",\"https://twitter.com/GrujaRS/status/1072139616910757888\"]},\"source\":\"Various\",\"tag_id\":\"23\",\"tag_name\":\"misp-galaxy:ransomware=\\\"Dharma Ransomware\\\"\",\"type\":\"ransomware\",\"uuid\":\"2b365b2c-4a9a-4b66-804d-3b2d2814fe7b\",\"value\":\"Dharma Ransomware\",\"version\":\"86\"}],\"description\":\"Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml\",\"icon\":\"btc\",\"id\":\"43\",\"name\":\"Ransomware\",\"namespace\":\"misp\",\"type\":\"ransomware\",\"uuid\":\"3f44af2e-1480-4b6b-9aa8-f9bb21341078\",\"version\":\"4\"}],\"Object\":[],\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"982f7c55-684d-4eb9-8736-fb5f668b899d\"},\"Orgc\":{\"id\":\"2\",\"local\":false,\"name\":\"CIRCL\",\"uuid\":\"55f6ea5e-2c60-40e5-964f-47a8950d210f\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"Tag\":[{\"colour\":\"#0088cc\",\"exportable\":true,\"hide_tag\":false,\"id\":\"23\",\"local\":0,\"name\":\"misp-galaxy:ransomware=\\\"Dharma Ransomware\\\"\",\"numerical_value\":null,\"user_id\":\"0\"},{\"colour\":\"#004646\",\"exportable\":true,\"hide_tag\":false,\"id\":\"21\",\"local\":0,\"name\":\"type:OSINT\",\"numerical_value\":null,\"user_id\":\"0\"},{\"colour\":\"#ffffff\",\"exportable\":true,\"hide_tag\":false,\"id\":\"2\",\"local\":0,\"name\":\"tlp:white\",\"numerical_value\":null,\"user_id\":\"0\"},{\"colour\":\"#2c4f00\",\"exportable\":true,\"hide_tag\":false,\"id\":\"24\",\"local\":0,\"name\":\"malware_classification:malware-category=\\\"Ransomware\\\"\",\"numerical_value\":null,\"user_id\":\"0\"},{\"colour\":\"#00223b\",\"exportable\":true,\"hide_tag\":false,\"id\":\"3\",\"local\":0,\"name\":\"osint:source-type=\\\"blog - post\\\"\",\"numerical_value\":null,\"user_id\":\"0\"}],\"analysis\":\"2\",\"attribute_count\":\"7\",\"date\":\"2017-08-25\",\"disable_correlation\":false,\"distribution\":\"3\",\"extends_uuid\":\"\",\"id\":\"5\",\"info\":\"OSINT - New Arena Crysis Ransomware Variant Released\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"2\",\"proposal_email_lock\":false,\"publish_timestamp\":\"1603226331\",\"published\":true,\"sharing_group_id\":\"0\",\"threat_level_id\":\"3\",\"timestamp\":\"1503930276\",\"uuid\":\"59a3d08d-5dc8-4153-bc7c-456d950d210f\"}}", + "type": [ + "indicator" + ] + }, + "misp": { + "attribute": { + "category": "Network activity", + "comment": "1st stage", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "14", + "id": "10794", + "object_id": "0", + "sharing_group_id": "0", + "timestamp": "2018-11-19T18:34:42.000Z", + "to_ids": false, + "type": "domain|ip", + "uuid": "5bf30242-8ef4-4c52-a2d7-0b7b0a016219" + }, + "event": { + "attribute_count": 7, + "date": "2017-08-25", + "disable_correlation": false, + "distribution": 3, + "extends_uuid": "", + "id": "5", + "info": "OSINT - New Arena Crysis Ransomware Variant Released", + "locked": false, + "org_id": "1", + "orgc_id": "2", + "proposal_email_lock": false, + "publish_timestamp": "2020-10-20T20:38:51.000Z", + "published": true, + "sharing_group_id": "0", + "threat_level_id": 3, + "uuid": "59a3d08d-5dc8-4153-bc7c-456d950d210f" + }, + "orgc": { + "id": "2", + "local": false, + "name": "CIRCL", + "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" + } + }, + "tags": [ + "preserve_original_event", + "misp-galaxy:ransomware=Dharma Ransomware", + "type:OSINT", + "tlp:white", + "malware_classification:malware-category=Ransomware", + "osint:source-type=blog - post" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "ip": "89.160.20.156", + "marking": { + "tlp": [ + "WHITE" + ] + }, + "provider": "misp", + "scanner_stats": 2, + "type": "domain-name", + "url": { + "domain": "your-ip.getmyip.com" + } + } + } + }, + { + "@timestamp": "2017-04-28T18:23:44.000Z", + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"External analysis\",\"comment\":\"Carbon sample - Xchecked via VT: a08b8371ead1919500a4759c2f46553620d5a9d9\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"4\",\"first_seen\":null,\"id\":\"342\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1490878550\",\"to_ids\":false,\"type\":\"link\",\"uuid\":\"58dd0056-6e74-43d5-b58b-494802de0b81\",\"value\":\"https://www.virustotal.com/file/7fa4482bfbca550ce296d8e791b1091d60d733ea8042167fd0eb853530584452/analysis/1486030116/\"},\"EventReport\":[],\"Galaxy\":[{\"GalaxyCluster\":[{\"authors\":[\"Alexandre Dulaunoy\",\"Florian Roth\",\"Timo Steffens\",\"Christophe Vandeplas\",\"Dennis Rand\",\"raw-data\"],\"collection_uuid\":\"0d821b68-9d82-4c6d-86a6-1071a9e0f79f\",\"description\":\"Family of related sophisticated backdoor software - Name comes from Microsoft detection signature – anagram of Ultra (Ultra3) was a name of the fake driver). A macOS version exists but appears incomplete and lacking features...for now!\",\"galaxy_id\":\"36\",\"id\":\"5828\",\"local\":false,\"meta\":{\"refs\":[\"https://www.first.org/resources/papers/tbilisi2014/turla-operations_and_development.pdf\",\"https://objective-see.com/blog/blog_0x25.html#Snake\"],\"synonyms\":[\"Snake\",\"Uroburos\",\"Urouros\"],\"type\":[\"Backdoor\",\"Rootkit\"]},\"source\":\"MISP Project\",\"tag_id\":\"22\",\"tag_name\":\"misp-galaxy:tool=\\\"Turla\\\"\",\"type\":\"tool\",\"uuid\":\"22332d52-c0c2-443c-9ffb-f08c0d23722c\",\"value\":\"Turla\",\"version\":\"138\"}],\"description\":\"Threat actors tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.\",\"icon\":\"optin-monster\",\"id\":\"36\",\"name\":\"Tool\",\"namespace\":\"misp\",\"type\":\"tool\",\"uuid\":\"9b8037f7-bc8f-4de1-a797-37266619bc0b\",\"version\":\"3\"}],\"Object\":[],\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"982f7c55-684d-4eb9-8736-fb5f668b899d\"},\"Orgc\":{\"id\":\"2\",\"local\":false,\"name\":\"CIRCL\",\"uuid\":\"55f6ea5e-2c60-40e5-964f-47a8950d210f\"},\"RelatedEvent\":[{\"Event\":{\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"982f7c55-684d-4eb9-8736-fb5f668b899d\"},\"Orgc\":{\"id\":\"4\",\"name\":\"CthulhuSPRL.be\",\"uuid\":\"55f6ea5f-fd34-43b8-ac1d-40cb950d210f\"},\"analysis\":\"2\",\"date\":\"2015-01-20\",\"distribution\":\"3\",\"id\":\"369\",\"info\":\"OSINT Analysis of Project Cobra Another extensible framework used by the Uroburos’ actors from Gdata\",\"org_id\":\"1\",\"orgc_id\":\"4\",\"published\":true,\"threat_level_id\":\"1\",\"timestamp\":\"1498163317\",\"uuid\":\"54bf5a6f-ac50-4f71-9cd3-7080950d210b\"}},{\"Event\":{\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"982f7c55-684d-4eb9-8736-fb5f668b899d\"},\"Orgc\":{\"id\":\"4\",\"name\":\"CthulhuSPRL.be\",\"uuid\":\"55f6ea5f-fd34-43b8-ac1d-40cb950d210f\"},\"analysis\":\"2\",\"date\":\"2014-11-20\",\"distribution\":\"3\",\"id\":\"621\",\"info\":\"Turla digging using TotalHash\",\"org_id\":\"1\",\"orgc_id\":\"4\",\"published\":true,\"threat_level_id\":\"2\",\"timestamp\":\"1498163604\",\"uuid\":\"546daad5-425c-4ac4-82c7-e07f950d210b\"}}],\"ShadowAttribute\":[],\"Tag\":[{\"colour\":\"#065100\",\"exportable\":true,\"hide_tag\":false,\"id\":\"22\",\"local\":0,\"name\":\"misp-galaxy:tool=\\\"Turla\\\"\",\"numerical_value\":null,\"user_id\":\"0\"},{\"colour\":\"#ffffff\",\"exportable\":true,\"hide_tag\":false,\"id\":\"2\",\"local\":0,\"name\":\"tlp:white\",\"numerical_value\":null,\"user_id\":\"0\"}],\"analysis\":\"2\",\"attribute_count\":\"100\",\"date\":\"2017-03-30\",\"disable_correlation\":false,\"distribution\":\"3\",\"extends_uuid\":\"\",\"id\":\"4\",\"info\":\"OSINT - Carbon Paper: Peering into Turla’s second stage backdoor\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"2\",\"proposal_email_lock\":false,\"publish_timestamp\":\"1603226330\",\"published\":true,\"sharing_group_id\":\"0\",\"threat_level_id\":\"3\",\"timestamp\":\"1493403824\",\"uuid\":\"58dcfe62-ed84-4e5e-b293-4991950d210f\"}}", + "type": [ + "indicator" + ] + }, + "misp": { + "attribute": { + "category": "External analysis", + "comment": "Carbon sample - Xchecked via VT: a08b8371ead1919500a4759c2f46553620d5a9d9", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "4", + "id": "342", + "object_id": "0", + "sharing_group_id": "0", + "timestamp": "2017-03-30T12:55:50.000Z", + "to_ids": false, + "type": "link", + "uuid": "58dd0056-6e74-43d5-b58b-494802de0b81" + }, + "event": { + "attribute_count": 100, + "date": "2017-03-30", + "disable_correlation": false, + "distribution": 3, + "extends_uuid": "", + "id": "4", + "info": "OSINT - Carbon Paper: Peering into Turla’s second stage backdoor", + "locked": false, + "org_id": "1", + "orgc_id": "2", + "proposal_email_lock": false, + "publish_timestamp": "2020-10-20T20:38:50.000Z", + "published": true, + "sharing_group_id": "0", + "threat_level_id": 3, + "uuid": "58dcfe62-ed84-4e5e-b293-4991950d210f" + }, + "orgc": { + "id": "2", + "local": false, + "name": "CIRCL", + "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" + } + }, + "tags": [ + "preserve_original_event", + "misp-galaxy:tool=Turla", + "tlp:white" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "marking": { + "tlp": [ + "WHITE" + ] + }, + "provider": "misp", + "scanner_stats": 2, + "type": "url", + "url": { + "domain": "www.virustotal.com", + "full": "https://www.virustotal.com/file/7fa4482bfbca550ce296d8e791b1091d60d733ea8042167fd0eb853530584452/analysis/1486030116/", + "original": "https://www.virustotal.com/file/7fa4482bfbca550ce296d8e791b1091d60d733ea8042167fd0eb853530584452/analysis/1486030116/", + "path": "/file/7fa4482bfbca550ce296d8e791b1091d60d733ea8042167fd0eb853530584452/analysis/1486030116/", + "scheme": "https" + } + } + } + }, + { + "@timestamp": "2014-10-06T07:12:57.000Z", + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"Event\":{\"id\":\"2\",\"orgc_id\":\"2\",\"org_id\":\"1\",\"date\":\"2014-10-03\",\"threat_level_id\":\"2\",\"info\":\"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks\",\"published\":true,\"uuid\":\"54323f2c-e50c-4268-896c-4867950d210b\",\"attribute_count\":\"29\",\"analysis\":\"2\",\"timestamp\":\"1412579577\",\"distribution\":\"3\",\"proposal_email_lock\":false,\"locked\":false,\"publish_timestamp\":\"1610622316\",\"sharing_group_id\":\"0\",\"disable_correlation\":false,\"extends_uuid\":\"\",\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\",\"local\":true},\"Orgc\":{\"id\":\"2\",\"name\":\"CthulhuSPRL.be\",\"uuid\":\"55f6ea5f-fd34-43b8-ac1d-40cb950d210f\",\"local\":false},\"Attribute\":{\"id\":\"1077\",\"type\":\"sha256\",\"category\":\"External analysis\",\"to_ids\":true,\"uuid\":\"54324042-49fc-4628-a95e-44da950d210b\",\"event_id\":\"2\",\"distribution\":\"5\",\"timestamp\":\"1412579394\",\"comment\":\"\",\"sharing_group_id\":\"0\",\"deleted\":false,\"disable_correlation\":false,\"object_id\":\"0\",\"object_relation\":null,\"first_seen\":null,\"last_seen\":null,\"value\":\"0a1103bc90725d4665b932f88e81d39eafa5823b0de3ab146e2d4548b7da79a0\",\"Galaxy\":[],\"ShadowAttribute\":[]},\"ShadowAttribute\":[],\"RelatedEvent\":[],\"Galaxy\":[],\"Object\":[],\"EventReport\":[],\"Tag\":[{\"id\":\"1\",\"name\":\"type:OSINT\",\"colour\":\"#004646\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0},{\"id\":\"2\",\"name\":\"tlp:green\",\"colour\":\"#339900\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0}]}}", + "type": [ + "indicator" + ] + }, + "misp": { + "attribute": { + "category": "External analysis", + "comment": "", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "2", + "id": "1077", + "object_id": "0", + "sharing_group_id": "0", + "timestamp": "2014-10-06T07:09:54.000Z", + "to_ids": true, + "type": "sha256", + "uuid": "54324042-49fc-4628-a95e-44da950d210b" + }, + "event": { + "attribute_count": 29, + "date": "2014-10-03", + "disable_correlation": false, + "distribution": 3, + "extends_uuid": "", + "id": "2", + "info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", + "locked": false, + "org_id": "1", + "orgc_id": "2", + "proposal_email_lock": false, + "publish_timestamp": "2021-01-14T11:05:16.000Z", + "published": true, + "sharing_group_id": "0", + "threat_level_id": 2, + "uuid": "54323f2c-e50c-4268-896c-4867950d210b" + }, + "orgc": { + "id": "2", + "local": false, + "name": "CthulhuSPRL.be", + "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" + } + }, + "tags": [ + "preserve_original_event", + "type:OSINT", + "tlp:green" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "file": { + "hash": { + "sha256": "0a1103bc90725d4665b932f88e81d39eafa5823b0de3ab146e2d4548b7da79a0" + } + }, + "marking": { + "tlp": [ + "GREEN" + ] + }, + "provider": "misp", + "scanner_stats": 2, + "type": "file" + } + } + }, + { + "@timestamp": "2014-10-06T07:12:57.000Z", + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"Event\":{\"id\":\"2\",\"orgc_id\":\"2\",\"org_id\":\"1\",\"date\":\"2014-10-03\",\"threat_level_id\":\"2\",\"info\":\"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks\",\"published\":true,\"uuid\":\"54323f2c-e50c-4268-896c-4867950d210b\",\"attribute_count\":\"29\",\"analysis\":\"2\",\"timestamp\":\"1412579577\",\"distribution\":\"3\",\"proposal_email_lock\":false,\"locked\":false,\"publish_timestamp\":\"1610622316\",\"sharing_group_id\":\"0\",\"disable_correlation\":false,\"extends_uuid\":\"\",\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\",\"local\":true},\"Orgc\":{\"id\":\"2\",\"name\":\"CthulhuSPRL.be\",\"uuid\":\"55f6ea5f-fd34-43b8-ac1d-40cb950d210f\",\"local\":false},\"Attribute\":{\"id\":\"1084\",\"type\":\"ip-dst\",\"category\":\"Network activity\",\"to_ids\":true,\"uuid\":\"54324081-3308-4f1f-8674-4953950d210b\",\"event_id\":\"2\",\"distribution\":\"5\",\"timestamp\":\"1412579457\",\"comment\":\"\",\"sharing_group_id\":\"0\",\"deleted\":false,\"disable_correlation\":false,\"object_id\":\"0\",\"object_relation\":null,\"first_seen\":null,\"last_seen\":null,\"value\":\"89.160.20.156\",\"Galaxy\":[],\"ShadowAttribute\":[]},\"ShadowAttribute\":[],\"RelatedEvent\":[],\"Galaxy\":[],\"Object\":[],\"EventReport\":[],\"Tag\":[{\"id\":\"1\",\"name\":\"type:OSINT\",\"colour\":\"#004646\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0},{\"id\":\"2\",\"name\":\"tlp:green\",\"colour\":\"#339900\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0}]}}", + "type": [ + "indicator" + ] + }, + "misp": { + "attribute": { + "category": "Network activity", + "comment": "", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "2", + "id": "1084", + "object_id": "0", + "sharing_group_id": "0", + "timestamp": "2014-10-06T07:10:57.000Z", + "to_ids": true, + "type": "ip-dst", + "uuid": "54324081-3308-4f1f-8674-4953950d210b" + }, + "event": { + "attribute_count": 29, + "date": "2014-10-03", + "disable_correlation": false, + "distribution": 3, + "extends_uuid": "", + "id": "2", + "info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", + "locked": false, + "org_id": "1", + "orgc_id": "2", + "proposal_email_lock": false, + "publish_timestamp": "2021-01-14T11:05:16.000Z", + "published": true, + "sharing_group_id": "0", + "threat_level_id": 2, + "uuid": "54323f2c-e50c-4268-896c-4867950d210b" + }, + "orgc": { + "id": "2", + "local": false, + "name": "CthulhuSPRL.be", + "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" + } + }, + "tags": [ + "preserve_original_event", + "type:OSINT", + "tlp:green" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "ip": "89.160.20.156", + "marking": { + "tlp": [ + "GREEN" + ] + }, + "provider": "misp", + "scanner_stats": 2, + "type": "ipv4-addr" + } + } + }, + { + "@timestamp": "2014-10-06T07:12:57.000Z", + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"Event\":{\"id\":\"2\",\"orgc_id\":\"2\",\"org_id\":\"1\",\"date\":\"2014-10-03\",\"threat_level_id\":\"2\",\"info\":\"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks\",\"published\":true,\"uuid\":\"54323f2c-e50c-4268-896c-4867950d210b\",\"attribute_count\":\"29\",\"analysis\":\"2\",\"timestamp\":\"1412579577\",\"distribution\":\"3\",\"proposal_email_lock\":false,\"locked\":false,\"publish_timestamp\":\"1610622316\",\"sharing_group_id\":\"0\",\"disable_correlation\":false,\"extends_uuid\":\"\",\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\",\"local\":true},\"Orgc\":{\"id\":\"2\",\"name\":\"CthulhuSPRL.be\",\"uuid\":\"55f6ea5f-fd34-43b8-ac1d-40cb950d210f\",\"local\":false},\"Attribute\":{\"id\":\"1086\",\"type\":\"hostname\",\"category\":\"Network activity\",\"to_ids\":true,\"uuid\":\"543240dc-f068-437a-baa9-48f2950d210b\",\"event_id\":\"2\",\"distribution\":\"5\",\"timestamp\":\"1412579548\",\"comment\":\"\",\"sharing_group_id\":\"0\",\"deleted\":false,\"disable_correlation\":false,\"object_id\":\"0\",\"object_relation\":null,\"first_seen\":null,\"last_seen\":null,\"value\":\"xenserver.ddns.net\",\"Galaxy\":[],\"ShadowAttribute\":[]},\"ShadowAttribute\":[],\"RelatedEvent\":[],\"Galaxy\":[],\"Object\":[],\"EventReport\":[],\"Tag\":[{\"id\":\"1\",\"name\":\"type:OSINT\",\"colour\":\"#004646\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0},{\"id\":\"2\",\"name\":\"tlp:green\",\"colour\":\"#339900\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0}]}}", + "type": [ + "indicator" + ] + }, + "misp": { + "attribute": { + "category": "Network activity", + "comment": "", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "2", + "id": "1086", + "object_id": "0", + "sharing_group_id": "0", + "timestamp": "2014-10-06T07:12:28.000Z", + "to_ids": true, + "type": "hostname", + "uuid": "543240dc-f068-437a-baa9-48f2950d210b" + }, + "event": { + "attribute_count": 29, + "date": "2014-10-03", + "disable_correlation": false, + "distribution": 3, + "extends_uuid": "", + "id": "2", + "info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", + "locked": false, + "org_id": "1", + "orgc_id": "2", + "proposal_email_lock": false, + "publish_timestamp": "2021-01-14T11:05:16.000Z", + "published": true, + "sharing_group_id": "0", + "threat_level_id": 2, + "uuid": "54323f2c-e50c-4268-896c-4867950d210b" + }, + "orgc": { + "id": "2", + "local": false, + "name": "CthulhuSPRL.be", + "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" + } + }, + "tags": [ + "preserve_original_event", + "type:OSINT", + "tlp:green" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "marking": { + "tlp": [ + "GREEN" + ] + }, + "provider": "misp", + "scanner_stats": 2, + "type": "domain-name", + "url": { + "domain": "xenserver.ddns.net" + } + } + } + }, + { + "@timestamp": "2014-10-06T07:12:57.000Z", + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"Event\":{\"id\":\"2\",\"orgc_id\":\"2\",\"org_id\":\"1\",\"date\":\"2014-10-03\",\"threat_level_id\":\"2\",\"info\":\"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks\",\"published\":true,\"uuid\":\"54323f2c-e50c-4268-896c-4867950d210b\",\"attribute_count\":\"29\",\"analysis\":\"2\",\"timestamp\":\"1412579577\",\"distribution\":\"3\",\"proposal_email_lock\":false,\"locked\":false,\"publish_timestamp\":\"1610622316\",\"sharing_group_id\":\"0\",\"disable_correlation\":false,\"extends_uuid\":\"\",\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\",\"local\":true},\"Orgc\":{\"id\":\"2\",\"name\":\"CthulhuSPRL.be\",\"uuid\":\"55f6ea5f-fd34-43b8-ac1d-40cb950d210f\",\"local\":false},\"Attribute\":{\"id\":\"1089\",\"type\":\"text\",\"category\":\"External analysis\",\"to_ids\":false,\"uuid\":\"543240f9-64e8-41f2-958f-4e21950d210b\",\"event_id\":\"2\",\"distribution\":\"5\",\"timestamp\":\"1412579577\",\"comment\":\"\",\"sharing_group_id\":\"0\",\"deleted\":false,\"disable_correlation\":false,\"object_id\":\"0\",\"object_relation\":null,\"first_seen\":null,\"last_seen\":null,\"value\":\"Nitro\",\"Galaxy\":[],\"ShadowAttribute\":[]},\"ShadowAttribute\":[],\"RelatedEvent\":[],\"Galaxy\":[],\"Object\":[],\"EventReport\":[],\"Tag\":[{\"id\":\"1\",\"name\":\"type:OSINT\",\"colour\":\"#004646\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0},{\"id\":\"2\",\"name\":\"tlp:green\",\"colour\":\"#339900\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0}]}}", + "type": [ + "indicator" + ] + }, + "misp": { + "attribute": { + "category": "External analysis", + "comment": "", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "2", + "id": "1089", + "object_id": "0", + "sharing_group_id": "0", + "timestamp": "2014-10-06T07:12:57.000Z", + "to_ids": false, + "type": "text", + "uuid": "543240f9-64e8-41f2-958f-4e21950d210b", + "value": "Nitro" + }, + "event": { + "attribute_count": 29, + "date": "2014-10-03", + "disable_correlation": false, + "distribution": 3, + "extends_uuid": "", + "id": "2", + "info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", + "locked": false, + "org_id": "1", + "orgc_id": "2", + "proposal_email_lock": false, + "publish_timestamp": "2021-01-14T11:05:16.000Z", + "published": true, + "sharing_group_id": "0", + "threat_level_id": 2, + "uuid": "54323f2c-e50c-4268-896c-4867950d210b" + }, + "orgc": { + "id": "2", + "local": false, + "name": "CthulhuSPRL.be", + "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" + } + }, + "tags": [ + "preserve_original_event", + "type:OSINT", + "tlp:green" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "marking": { + "tlp": [ + "GREEN" + ] + }, + "provider": "misp", + "scanner_stats": 2 + } + } + }, + { + "@timestamp": "2014-10-06T07:12:57.000Z", + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"Event\":{\"id\":\"2\",\"orgc_id\":\"2\",\"org_id\":\"1\",\"date\":\"2014-10-03\",\"threat_level_id\":\"2\",\"info\":\"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks\",\"published\":true,\"uuid\":\"54323f2c-e50c-4268-896c-4867950d210b\",\"attribute_count\":\"29\",\"analysis\":\"2\",\"timestamp\":\"1412579577\",\"distribution\":\"3\",\"proposal_email_lock\":false,\"locked\":false,\"publish_timestamp\":\"1610622316\",\"sharing_group_id\":\"0\",\"disable_correlation\":false,\"extends_uuid\":\"\",\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\",\"local\":true},\"Orgc\":{\"id\":\"2\",\"name\":\"CthulhuSPRL.be\",\"uuid\":\"55f6ea5f-fd34-43b8-ac1d-40cb950d210f\",\"local\":false},\"Attribute\":{\"id\":\"1090\",\"type\":\"sha1\",\"category\":\"External analysis\",\"to_ids\":true,\"uuid\":\"56c625a7-f31c-460c-9ea1-c652950d210f\",\"event_id\":\"2\",\"distribution\":\"5\",\"timestamp\":\"1455826343\",\"comment\":\"Automatically added (via 7915aabb2e66ff14841e4ef0fbff7486)\",\"sharing_group_id\":\"0\",\"deleted\":false,\"disable_correlation\":false,\"object_id\":\"0\",\"object_relation\":null,\"first_seen\":null,\"last_seen\":null,\"value\":\"0ea76f1586c008932d90c991dfdd5042f3aac8ea\",\"Galaxy\":[],\"ShadowAttribute\":[]},\"ShadowAttribute\":[],\"RelatedEvent\":[],\"Galaxy\":[],\"Object\":[],\"EventReport\":[],\"Tag\":[{\"id\":\"1\",\"name\":\"type:OSINT\",\"colour\":\"#004646\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0},{\"id\":\"2\",\"name\":\"tlp:green\",\"colour\":\"#339900\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0}]}}", + "type": [ + "indicator" + ] + }, + "misp": { + "attribute": { + "category": "External analysis", + "comment": "Automatically added (via 7915aabb2e66ff14841e4ef0fbff7486)", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "2", + "id": "1090", + "object_id": "0", + "sharing_group_id": "0", + "timestamp": "2016-02-18T20:12:23.000Z", + "to_ids": true, + "type": "sha1", + "uuid": "56c625a7-f31c-460c-9ea1-c652950d210f" + }, + "event": { + "attribute_count": 29, + "date": "2014-10-03", + "disable_correlation": false, + "distribution": 3, + "extends_uuid": "", + "id": "2", + "info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", + "locked": false, + "org_id": "1", + "orgc_id": "2", + "proposal_email_lock": false, + "publish_timestamp": "2021-01-14T11:05:16.000Z", + "published": true, + "sharing_group_id": "0", + "threat_level_id": 2, + "uuid": "54323f2c-e50c-4268-896c-4867950d210b" + }, + "orgc": { + "id": "2", + "local": false, + "name": "CthulhuSPRL.be", + "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" + } + }, + "tags": [ + "preserve_original_event", + "type:OSINT", + "tlp:green" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "file": { + "hash": { + "sha1": "0ea76f1586c008932d90c991dfdd5042f3aac8ea" + } + }, + "marking": { + "tlp": [ + "GREEN" + ] + }, + "provider": "misp", + "scanner_stats": 2, + "type": "file" + } + } + }, + { + "@timestamp": "2014-10-06T07:12:57.000Z", + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"Event\":{\"id\":\"2\",\"orgc_id\":\"2\",\"org_id\":\"1\",\"date\":\"2014-10-03\",\"threat_level_id\":\"2\",\"info\":\"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks\",\"published\":true,\"uuid\":\"54323f2c-e50c-4268-896c-4867950d210b\",\"attribute_count\":\"29\",\"analysis\":\"2\",\"timestamp\":\"1412579577\",\"distribution\":\"3\",\"proposal_email_lock\":false,\"locked\":false,\"publish_timestamp\":\"1610622316\",\"sharing_group_id\":\"0\",\"disable_correlation\":false,\"extends_uuid\":\"\",\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\",\"local\":true},\"Orgc\":{\"id\":\"2\",\"name\":\"CthulhuSPRL.be\",\"uuid\":\"55f6ea5f-fd34-43b8-ac1d-40cb950d210f\",\"local\":false},\"Attribute\":{\"id\":\"12394\",\"type\":\"domain\",\"category\":\"Network activity\",\"to_ids\":false,\"uuid\":\"572b4ab3-1af0-4d91-9cd5-07a1c0a8ab16\",\"event_id\":\"22\",\"distribution\":\"5\",\"timestamp\":\"1462454963\",\"comment\":\"\",\"sharing_group_id\":\"0\",\"deleted\":false,\"disable_correlation\":false,\"object_id\":\"0\",\"object_relation\":null,\"first_seen\":null,\"last_seen\":null,\"value\":\"whatsapp.com\",\"Galaxy\":[],\"ShadowAttribute\":[]},\"ShadowAttribute\":[],\"RelatedEvent\":[],\"Galaxy\":[],\"Object\":[],\"EventReport\":[],\"Tag\":[{\"id\":\"1\",\"name\":\"type:OSINT\",\"colour\":\"#004646\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0},{\"id\":\"2\",\"name\":\"tlp:green\",\"colour\":\"#339900\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0}]}}", + "type": [ + "indicator" + ] + }, + "misp": { + "attribute": { + "category": "Network activity", + "comment": "", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "22", + "id": "12394", + "object_id": "0", + "sharing_group_id": "0", + "timestamp": "2016-05-05T13:29:23.000Z", + "to_ids": false, + "type": "domain", + "uuid": "572b4ab3-1af0-4d91-9cd5-07a1c0a8ab16" + }, + "event": { + "attribute_count": 29, + "date": "2014-10-03", + "disable_correlation": false, + "distribution": 3, + "extends_uuid": "", + "id": "2", + "info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", + "locked": false, + "org_id": "1", + "orgc_id": "2", + "proposal_email_lock": false, + "publish_timestamp": "2021-01-14T11:05:16.000Z", + "published": true, + "sharing_group_id": "0", + "threat_level_id": 2, + "uuid": "54323f2c-e50c-4268-896c-4867950d210b" + }, + "orgc": { + "id": "2", + "local": false, + "name": "CthulhuSPRL.be", + "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" + } + }, + "tags": [ + "preserve_original_event", + "type:OSINT", + "tlp:green" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "marking": { + "tlp": [ + "GREEN" + ] + }, + "provider": "misp", + "scanner_stats": 2, + "type": "domain-name", + "url": { + "domain": "whatsapp.com" + } + } + } + }, + { + "@timestamp": "2018-08-28T13:20:17.000Z", + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"Event\":{\"id\":\"158\",\"orgc_id\":\"5\",\"org_id\":\"1\",\"date\":\"2018-01-08\",\"threat_level_id\":\"1\",\"info\":\"Turla: Mosquito Whitepaper\",\"published\":true,\"uuid\":\"5a5395d1-40a0-45fc-b692-334a0a016219\",\"attribute_count\":\"61\",\"analysis\":\"0\",\"timestamp\":\"1535462417\",\"distribution\":\"3\",\"proposal_email_lock\":false,\"locked\":false,\"publish_timestamp\":\"1610637953\",\"sharing_group_id\":\"0\",\"disable_correlation\":false,\"extends_uuid\":\"\",\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\",\"local\":true},\"Orgc\":{\"id\":\"5\",\"name\":\"ESET\",\"uuid\":\"55f6ea5e-51ac-4344-bc8c-4170950d210f\",\"local\":false},\"Attribute\":{\"id\":\"17299\",\"type\":\"url\",\"category\":\"Network activity\",\"to_ids\":false,\"uuid\":\"5a53976c-e7c8-480d-a68a-2fc50a016219\",\"event_id\":\"158\",\"distribution\":\"5\",\"timestamp\":\"1515427692\",\"comment\":\"Fake adobe URL\",\"sharing_group_id\":\"0\",\"deleted\":false,\"disable_correlation\":false,\"object_id\":\"0\",\"object_relation\":null,\"first_seen\":null,\"last_seen\":null,\"value\":\"http://get.adobe.com/stats/AbfFcBebD/?q=\",\"Galaxy\":[],\"ShadowAttribute\":[]},\"ShadowAttribute\":[],\"RelatedEvent\":[{\"Event\":{\"id\":\"58\",\"date\":\"2018-08-17\",\"threat_level_id\":\"1\",\"info\":\"Turla Outlook White Paper\",\"published\":true,\"uuid\":\"5b773e07-e694-458b-b99c-27f30a016219\",\"analysis\":\"0\",\"timestamp\":\"1535462383\",\"distribution\":\"3\",\"org_id\":\"1\",\"orgc_id\":\"5\",\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\"},\"Orgc\":{\"id\":\"5\",\"name\":\"ESET\",\"uuid\":\"55f6ea5e-51ac-4344-bc8c-4170950d210f\"}}}],\"Galaxy\":[],\"Object\":[],\"EventReport\":[],\"Tag\":[{\"id\":\"7\",\"name\":\"misp-galaxy:threat-actor=\\\"Turla Group\\\"\",\"colour\":\"#0088cc\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":true,\"is_custom_galaxy\":false,\"local\":0},{\"id\":\"70\",\"name\":\"Turla\",\"colour\":\"#f20f53\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0},{\"id\":\"3\",\"name\":\"tlp:white\",\"colour\":\"#ffffff\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0}]}}", + "type": [ + "indicator" + ] + }, + "misp": { + "attribute": { + "category": "Network activity", + "comment": "Fake adobe URL", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "158", + "id": "17299", + "object_id": "0", + "sharing_group_id": "0", + "timestamp": "2018-01-08T16:08:12.000Z", + "to_ids": false, + "type": "url", + "uuid": "5a53976c-e7c8-480d-a68a-2fc50a016219" + }, + "event": { + "attribute_count": 61, + "date": "2018-01-08", + "disable_correlation": false, + "distribution": 3, + "extends_uuid": "", + "id": "158", + "info": "Turla: Mosquito Whitepaper", + "locked": false, + "org_id": "1", + "orgc_id": "5", + "proposal_email_lock": false, + "publish_timestamp": "2021-01-14T15:25:53.000Z", + "published": true, + "sharing_group_id": "0", + "threat_level_id": 1, + "uuid": "5a5395d1-40a0-45fc-b692-334a0a016219" + }, + "orgc": { + "id": "5", + "local": false, + "name": "ESET", + "uuid": "55f6ea5e-51ac-4344-bc8c-4170950d210f" + } + }, + "tags": [ + "preserve_original_event", + "misp-galaxy:threat-actor=Turla Group", + "Turla", + "tlp:white" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "marking": { + "tlp": [ + "WHITE" + ] + }, + "provider": "misp", + "scanner_stats": 0, + "type": "url", + "url": { + "domain": "get.adobe.com", + "full": "http://get.adobe.com/stats/AbfFcBebD/?q=", + "original": "http://get.adobe.com/stats/AbfFcBebD/?q=", + "path": "/stats/AbfFcBebD/", + "query": "q=", + "scheme": "http" + } + } + } + }, + { + "@timestamp": "2018-08-28T13:20:17.000Z", + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"Event\":{\"id\":\"158\",\"orgc_id\":\"5\",\"org_id\":\"1\",\"date\":\"2018-01-08\",\"threat_level_id\":\"1\",\"info\":\"Turla: Mosquito Whitepaper\",\"published\":true,\"uuid\":\"5a5395d1-40a0-45fc-b692-334a0a016219\",\"attribute_count\":\"61\",\"analysis\":\"0\",\"timestamp\":\"1535462417\",\"distribution\":\"3\",\"proposal_email_lock\":false,\"locked\":false,\"publish_timestamp\":\"1610637953\",\"sharing_group_id\":\"0\",\"disable_correlation\":false,\"extends_uuid\":\"\",\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\",\"local\":true},\"Orgc\":{\"id\":\"5\",\"name\":\"ESET\",\"uuid\":\"55f6ea5e-51ac-4344-bc8c-4170950d210f\",\"local\":false},\"Attribute\":{\"id\":\"17330\",\"type\":\"uri\",\"category\":\"Network activity\",\"to_ids\":false,\"uuid\":\"5a539ce1-3de0-4e34-8fc4-2fc50a016219\",\"event_id\":\"158\",\"distribution\":\"5\",\"timestamp\":\"1515429089\",\"comment\":\"Win32 backdoor C\u0026C URI\",\"sharing_group_id\":\"0\",\"deleted\":false,\"disable_correlation\":false,\"object_id\":\"0\",\"object_relation\":null,\"first_seen\":null,\"last_seen\":null,\"value\":\"/scripts/m/query.php?id=\",\"Galaxy\":[],\"ShadowAttribute\":[]},\"ShadowAttribute\":[],\"RelatedEvent\":[{\"Event\":{\"id\":\"58\",\"date\":\"2018-08-17\",\"threat_level_id\":\"1\",\"info\":\"Turla Outlook White Paper\",\"published\":true,\"uuid\":\"5b773e07-e694-458b-b99c-27f30a016219\",\"analysis\":\"0\",\"timestamp\":\"1535462383\",\"distribution\":\"3\",\"org_id\":\"1\",\"orgc_id\":\"5\",\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\"},\"Orgc\":{\"id\":\"5\",\"name\":\"ESET\",\"uuid\":\"55f6ea5e-51ac-4344-bc8c-4170950d210f\"}}}],\"Galaxy\":[],\"Object\":[],\"EventReport\":[],\"Tag\":[{\"id\":\"7\",\"name\":\"misp-galaxy:threat-actor=\\\"Turla Group\\\"\",\"colour\":\"#0088cc\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":true,\"is_custom_galaxy\":false,\"local\":0},{\"id\":\"70\",\"name\":\"Turla\",\"colour\":\"#f20f53\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0},{\"id\":\"3\",\"name\":\"tlp:white\",\"colour\":\"#ffffff\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0}]}}", + "type": [ + "indicator" + ] + }, + "misp": { + "attribute": { + "category": "Network activity", + "comment": "Win32 backdoor C\u0026C URI", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "158", + "id": "17330", + "object_id": "0", + "sharing_group_id": "0", + "timestamp": "2018-01-08T16:31:29.000Z", + "to_ids": false, + "type": "uri", + "uuid": "5a539ce1-3de0-4e34-8fc4-2fc50a016219" + }, + "event": { + "attribute_count": 61, + "date": "2018-01-08", + "disable_correlation": false, + "distribution": 3, + "extends_uuid": "", + "id": "158", + "info": "Turla: Mosquito Whitepaper", + "locked": false, + "org_id": "1", + "orgc_id": "5", + "proposal_email_lock": false, + "publish_timestamp": "2021-01-14T15:25:53.000Z", + "published": true, + "sharing_group_id": "0", + "threat_level_id": 1, + "uuid": "5a5395d1-40a0-45fc-b692-334a0a016219" + }, + "orgc": { + "id": "5", + "local": false, + "name": "ESET", + "uuid": "55f6ea5e-51ac-4344-bc8c-4170950d210f" + } + }, + "tags": [ + "preserve_original_event", + "misp-galaxy:threat-actor=Turla Group", + "Turla", + "tlp:white" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "marking": { + "tlp": [ + "WHITE" + ] + }, + "provider": "misp", + "scanner_stats": 0, + "type": "url" + } + } + }, + { + "@timestamp": "2018-08-28T13:20:17.000Z", + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"Event\":{\"id\":\"158\",\"orgc_id\":\"5\",\"org_id\":\"1\",\"date\":\"2018-01-08\",\"threat_level_id\":\"1\",\"info\":\"Turla: Mosquito Whitepaper\",\"published\":true,\"uuid\":\"5a5395d1-40a0-45fc-b692-334a0a016219\",\"attribute_count\":\"61\",\"analysis\":\"0\",\"timestamp\":\"1535462417\",\"distribution\":\"3\",\"proposal_email_lock\":false,\"locked\":false,\"publish_timestamp\":\"1610637953\",\"sharing_group_id\":\"0\",\"disable_correlation\":false,\"extends_uuid\":\"\",\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\",\"local\":true},\"Orgc\":{\"id\":\"5\",\"name\":\"ESET\",\"uuid\":\"55f6ea5e-51ac-4344-bc8c-4170950d210f\",\"local\":false},\"Attribute\":{\"id\":\"17322\",\"type\":\"filename|sha1\",\"category\":\"Artifacts dropped\",\"to_ids\":false,\"uuid\":\"5a539ce1-e6a0-426a-942c-2fc50a016219\",\"event_id\":\"158\",\"distribution\":\"5\",\"timestamp\":\"1515429089\",\"comment\":\"JavaScript backdoor\",\"sharing_group_id\":\"0\",\"deleted\":false,\"disable_correlation\":false,\"object_id\":\"0\",\"object_relation\":null,\"first_seen\":null,\"last_seen\":null,\"value\":\"google_update_checker.js|c51d288469df9f25e2fb7ac491918b3e579282ea\",\"Galaxy\":[],\"ShadowAttribute\":[]},\"ShadowAttribute\":[],\"RelatedEvent\":[{\"Event\":{\"id\":\"58\",\"date\":\"2018-08-17\",\"threat_level_id\":\"1\",\"info\":\"Turla Outlook White Paper\",\"published\":true,\"uuid\":\"5b773e07-e694-458b-b99c-27f30a016219\",\"analysis\":\"0\",\"timestamp\":\"1535462383\",\"distribution\":\"3\",\"org_id\":\"1\",\"orgc_id\":\"5\",\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\"},\"Orgc\":{\"id\":\"5\",\"name\":\"ESET\",\"uuid\":\"55f6ea5e-51ac-4344-bc8c-4170950d210f\"}}}],\"Galaxy\":[],\"Object\":[],\"EventReport\":[],\"Tag\":[{\"id\":\"7\",\"name\":\"misp-galaxy:threat-actor=\\\"Turla Group\\\"\",\"colour\":\"#0088cc\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":true,\"is_custom_galaxy\":false,\"local\":0},{\"id\":\"70\",\"name\":\"Turla\",\"colour\":\"#f20f53\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0},{\"id\":\"3\",\"name\":\"tlp:white\",\"colour\":\"#ffffff\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0}]}}", + "type": [ + "indicator" + ] + }, + "misp": { + "attribute": { + "category": "Artifacts dropped", + "comment": "JavaScript backdoor", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "158", + "id": "17322", + "object_id": "0", + "sharing_group_id": "0", + "timestamp": "2018-01-08T16:31:29.000Z", + "to_ids": false, + "type": "filename|sha1", + "uuid": "5a539ce1-e6a0-426a-942c-2fc50a016219" + }, + "event": { + "attribute_count": 61, + "date": "2018-01-08", + "disable_correlation": false, + "distribution": 3, + "extends_uuid": "", + "id": "158", + "info": "Turla: Mosquito Whitepaper", + "locked": false, + "org_id": "1", + "orgc_id": "5", + "proposal_email_lock": false, + "publish_timestamp": "2021-01-14T15:25:53.000Z", + "published": true, + "sharing_group_id": "0", + "threat_level_id": 1, + "uuid": "5a5395d1-40a0-45fc-b692-334a0a016219" + }, + "orgc": { + "id": "5", + "local": false, + "name": "ESET", + "uuid": "55f6ea5e-51ac-4344-bc8c-4170950d210f" + } + }, + "tags": [ + "preserve_original_event", + "misp-galaxy:threat-actor=Turla Group", + "Turla", + "tlp:white" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "file": { + "hash": { + "sha1": "c51d288469df9f25e2fb7ac491918b3e579282ea" + }, + "name": "google_update_checker.js" + }, + "marking": { + "tlp": [ + "WHITE" + ] + }, + "provider": "misp", + "scanner_stats": 0, + "type": "file" + } + } + }, + { + "@timestamp": "2018-01-23T16:09:56.000Z", + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"Event\":{\"id\":\"22\",\"orgc_id\":\"4\",\"org_id\":\"1\",\"date\":\"2015-12-08\",\"threat_level_id\":\"3\",\"info\":\"Packrat: Seven Years of a South American Threat Actor\",\"published\":true,\"uuid\":\"56ccdcaf-f7e4-40d8-bca1-51299062e56a\",\"attribute_count\":\"133\",\"analysis\":\"2\",\"timestamp\":\"1516723796\",\"distribution\":\"3\",\"proposal_email_lock\":false,\"locked\":false,\"publish_timestamp\":\"1610637901\",\"sharing_group_id\":\"0\",\"disable_correlation\":false,\"extends_uuid\":\"\",\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\",\"local\":true},\"Orgc\":{\"id\":\"4\",\"name\":\"CUDESO\",\"uuid\":\"56c42374-fdb8-4544-a218-41ffc0a8ab16\",\"local\":false},\"Attribute\":{\"id\":\"12268\",\"type\":\"email-src\",\"category\":\"Payload delivery\",\"to_ids\":true,\"uuid\":\"56ccdcb6-4d6c-4e48-b955-52849062e56a\",\"event_id\":\"22\",\"distribution\":\"5\",\"timestamp\":\"1456266422\",\"comment\":\"\",\"sharing_group_id\":\"0\",\"deleted\":false,\"disable_correlation\":false,\"object_id\":\"0\",\"object_relation\":null,\"first_seen\":null,\"last_seen\":null,\"value\":\"claudiobonadio88@gmail.com\",\"Galaxy\":[],\"ShadowAttribute\":[]},\"ShadowAttribute\":[],\"RelatedEvent\":[],\"Galaxy\":[],\"Object\":[],\"EventReport\":[],\"Tag\":[{\"id\":\"3\",\"name\":\"tlp:white\",\"colour\":\"#ffffff\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0}]}}", + "type": [ + "indicator" + ] + }, + "misp": { + "attribute": { + "category": "Payload delivery", + "comment": "", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "22", + "id": "12268", + "object_id": "0", + "sharing_group_id": "0", + "timestamp": "2016-02-23T22:27:02.000Z", + "to_ids": true, + "type": "email-src", + "uuid": "56ccdcb6-4d6c-4e48-b955-52849062e56a" + }, + "event": { + "attribute_count": 133, + "date": "2015-12-08", + "disable_correlation": false, + "distribution": 3, + "extends_uuid": "", + "id": "22", + "info": "Packrat: Seven Years of a South American Threat Actor", + "locked": false, + "org_id": "1", + "orgc_id": "4", + "proposal_email_lock": false, + "publish_timestamp": "2021-01-14T15:25:01.000Z", + "published": true, + "sharing_group_id": "0", + "threat_level_id": 3, + "uuid": "56ccdcaf-f7e4-40d8-bca1-51299062e56a" + }, + "orgc": { + "id": "4", + "local": false, + "name": "CUDESO", + "uuid": "56c42374-fdb8-4544-a218-41ffc0a8ab16" + } + }, + "tags": [ + "preserve_original_event", + "tlp:white" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "email": { + "address": "claudiobonadio88@gmail.com" + }, + "marking": { + "tlp": [ + "WHITE" + ] + }, + "provider": "misp", + "scanner_stats": 2, + "type": "email-addr" + } + } + }, + { + "@timestamp": "2018-01-23T16:09:56.000Z", + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"Event\":{\"id\":\"22\",\"orgc_id\":\"4\",\"org_id\":\"1\",\"date\":\"2015-12-08\",\"threat_level_id\":\"3\",\"info\":\"Packrat: Seven Years of a South American Threat Actor\",\"published\":true,\"uuid\":\"56ccdcaf-f7e4-40d8-bca1-51299062e56a\",\"attribute_count\":\"133\",\"analysis\":\"2\",\"timestamp\":\"1516723796\",\"distribution\":\"3\",\"proposal_email_lock\":false,\"locked\":false,\"publish_timestamp\":\"1610637901\",\"sharing_group_id\":\"0\",\"disable_correlation\":false,\"extends_uuid\":\"\",\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\",\"local\":true},\"Orgc\":{\"id\":\"4\",\"name\":\"CUDESO\",\"uuid\":\"56c42374-fdb8-4544-a218-41ffc0a8ab16\",\"local\":false},\"Attribute\":{\"id\":\"12298\",\"type\":\"regkey\",\"category\":\"Artifacts dropped\",\"to_ids\":true,\"uuid\":\"56ccdcd6-f4b8-4383-9624-52849062e56a\",\"event_id\":\"22\",\"distribution\":\"5\",\"timestamp\":\"1456266454\",\"comment\":\"\",\"sharing_group_id\":\"0\",\"deleted\":false,\"disable_correlation\":false,\"object_id\":\"0\",\"object_relation\":null,\"first_seen\":null,\"last_seen\":null,\"value\":\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active\",\"Galaxy\":[],\"ShadowAttribute\":[]},\"ShadowAttribute\":[],\"RelatedEvent\":[],\"Galaxy\":[],\"Object\":[],\"EventReport\":[],\"Tag\":[{\"id\":\"3\",\"name\":\"tlp:white\",\"colour\":\"#ffffff\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0}]}}", + "type": [ + "indicator" + ] + }, + "misp": { + "attribute": { + "category": "Artifacts dropped", + "comment": "", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "22", + "id": "12298", + "object_id": "0", + "sharing_group_id": "0", + "timestamp": "2016-02-23T22:27:34.000Z", + "to_ids": true, + "type": "regkey", + "uuid": "56ccdcd6-f4b8-4383-9624-52849062e56a" + }, + "event": { + "attribute_count": 133, + "date": "2015-12-08", + "disable_correlation": false, + "distribution": 3, + "extends_uuid": "", + "id": "22", + "info": "Packrat: Seven Years of a South American Threat Actor", + "locked": false, + "org_id": "1", + "orgc_id": "4", + "proposal_email_lock": false, + "publish_timestamp": "2021-01-14T15:25:01.000Z", + "published": true, + "sharing_group_id": "0", + "threat_level_id": 3, + "uuid": "56ccdcaf-f7e4-40d8-bca1-51299062e56a" + }, + "orgc": { + "id": "4", + "local": false, + "name": "CUDESO", + "uuid": "56c42374-fdb8-4544-a218-41ffc0a8ab16" + } + }, + "tags": [ + "preserve_original_event", + "tlp:white" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "marking": { + "tlp": [ + "WHITE" + ] + }, + "provider": "misp", + "registry": { + "key": "HKLM\\SOFTWARE\\Microsoft\\Active" + }, + "scanner_stats": 2, + "type": "windows-registry-key" + } + } + }, + { + "@timestamp": "2020-12-13T14:03:16.000Z", + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"Event\":{\"id\":\"10\",\"orgc_id\":\"4\",\"org_id\":\"1\",\"date\":\"2020-12-09\",\"threat_level_id\":\"3\",\"info\":\"Recent Qakbot (Qbot) activity\",\"published\":true,\"uuid\":\"5fd0c599-ab6c-4ba1-a69a-df9ec0a8ab16\",\"attribute_count\":\"15\",\"analysis\":\"2\",\"timestamp\":\"1607868196\",\"distribution\":\"3\",\"proposal_email_lock\":false,\"locked\":false,\"publish_timestamp\":\"1610637888\",\"sharing_group_id\":\"0\",\"disable_correlation\":false,\"extends_uuid\":\"\",\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\",\"local\":true},\"Orgc\":{\"id\":\"4\",\"name\":\"CUDESO\",\"uuid\":\"56c42374-fdb8-4544-a218-41ffc0a8ab16\",\"local\":false},\"Attribute\":{\"id\":\"10686\",\"type\":\"ip-dst|port\",\"category\":\"Network activity\",\"to_ids\":true,\"uuid\":\"5fd0c620-a844-4ace-9710-a37bc0a8ab16\",\"event_id\":\"10\",\"distribution\":\"5\",\"timestamp\":\"1607517728\",\"comment\":\"On port 2222\",\"sharing_group_id\":\"0\",\"deleted\":false,\"disable_correlation\":false,\"object_id\":\"0\",\"object_relation\":null,\"first_seen\":null,\"last_seen\":null,\"value\":\"89.160.20.156|2222\",\"Galaxy\":[],\"ShadowAttribute\":[]},\"ShadowAttribute\":[],\"RelatedEvent\":[],\"Galaxy\":[],\"Object\":[],\"EventReport\":[],\"Tag\":[{\"id\":\"3\",\"name\":\"tlp:white\",\"colour\":\"#ffffff\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0},{\"id\":\"6\",\"name\":\"misp-galaxy:banker=\\\"Qakbot\\\"\",\"colour\":\"#0088cc\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":true,\"is_custom_galaxy\":false,\"local\":0}]}}", + "type": [ + "indicator" + ] + }, + "misp": { + "attribute": { + "category": "Network activity", + "comment": "On port 2222", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "10", + "id": "10686", + "object_id": "0", + "sharing_group_id": "0", + "timestamp": "2020-12-09T12:42:08.000Z", + "to_ids": true, + "type": "ip-dst|port", + "uuid": "5fd0c620-a844-4ace-9710-a37bc0a8ab16" + }, + "event": { + "attribute_count": 15, + "date": "2020-12-09", + "disable_correlation": false, + "distribution": 3, + "extends_uuid": "", + "id": "10", + "info": "Recent Qakbot (Qbot) activity", + "locked": false, + "org_id": "1", + "orgc_id": "4", + "proposal_email_lock": false, + "publish_timestamp": "2021-01-14T15:24:48.000Z", + "published": true, + "sharing_group_id": "0", + "threat_level_id": 3, + "uuid": "5fd0c599-ab6c-4ba1-a69a-df9ec0a8ab16" + }, + "orgc": { + "id": "4", + "local": false, + "name": "CUDESO", + "uuid": "56c42374-fdb8-4544-a218-41ffc0a8ab16" + } + }, + "tags": [ + "preserve_original_event", + "tlp:white", + "misp-galaxy:banker=Qakbot" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "ip": "89.160.20.156", + "marking": { + "tlp": [ + "WHITE" + ] + }, + "port": 2222, + "provider": "misp", + "scanner_stats": 2, + "type": "ipv4-addr" + } + } + }, + null + ] +} \ No newline at end of file diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/system/test-default-config.yml b/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/system/test-default-config.yml new file mode 100644 index 0000000000..c689b96f1a --- /dev/null +++ b/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/system/test-default-config.yml @@ -0,0 +1,13 @@ +input: httpjson +service: misp +vars: ~ +data_stream: + vars: + preserve_original_event: true + url: http://{{Hostname}}:{{Port}} + api_token: test + interval: 10m + initial_interval: 10m + enable_request_tracer: true +assert: + hit_count: 3 diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat/agent/stream/httpjson.yml.hbs b/test/packages/with-logstash/ti_misp/data_stream/threat/agent/stream/httpjson.yml.hbs new file mode 100644 index 0000000000..8292dd45f3 --- /dev/null +++ b/test/packages/with-logstash/ti_misp/data_stream/threat/agent/stream/httpjson.yml.hbs @@ -0,0 +1,88 @@ +config_version: "2" +interval: {{interval}} +request.method: "POST" +{{#if enable_request_tracer}} +request.tracer.filename: "../../logs/httpjson/http-request-trace-*.ndjson" +{{/if}} +{{#if url}} +request.url: {{url}}/events/restSearch +{{/if}} +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +request.timeout: {{http_client_timeout}} +{{/if}} +{{#if proxy_url}} +request.proxy_url: {{proxy_url}} +{{/if}} +request.body: +{{#if filters}} + {{filters}} +{{/if}} +request.transforms: +{{#if api_token}} +- set: + target: header.Authorization + value: {{api_token}} +{{/if}} +- set: + target: body.page + value: 1 +- set: + target: body.limit + value: 10 +- set: + target: body.returnFormat + value: json +- set: + target: body.timestamp + value: '[[.cursor.timestamp.Unix]]' + default: '[[ (now (parseDuration "-{{initial_interval}}")).Unix ]]' +- set: + # Ignored by MISP, set as a workaround to make it available in response.pagination. + target: url.params.timestamp + value: '[[.body.timestamp]]' + +response.split: + target: body.response + split: + target: body.Event.Attribute + ignore_empty_value: true + keep_parent: true + split: + target: body.Event.Object + keep_parent: true + split: + target: body.Event.Object.Attribute + keep_parent: true +response.request_body_on_pagination: true +response.pagination: +- set: + target: body.page + # Add 2 because the httpjson page counter is zero-based while the MISP page parameter starts at 1. + value: '[[if (ne (len .last_response.body.response) 0)]][[add .last_response.page 2]][[end]]' + fail_on_template_error: true +- set: + target: body.timestamp + value: '[[.last_response.url.params.Get "timestamp"]]' +- set: + target: url.params.timestamp + value: '[[.last_response.url.params.Get "timestamp"]]' +cursor: + timestamp: + value: '[[.last_event.Event.timestamp]]' +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat/elasticsearch/ingest_pipeline/default.yml b/test/packages/with-logstash/ti_misp/data_stream/threat/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 0000000000..3a5a5b91db --- /dev/null +++ b/test/packages/with-logstash/ti_misp/data_stream/threat/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,466 @@ +--- +description: Pipeline for parsing MISP Threat Intel +processors: + #################### + # Event ECS fields # + #################### + - set: + field: ecs.version + value: '8.9.0' + - set: + field: event.kind + value: enrichment + - set: + field: event.category + value: [threat] + - set: + field: event.type + value: [indicator] + + ###################### + # General ECS fields # + ###################### + - rename: + field: message + target_field: event.original + ignore_missing: true + if: 'ctx.event?.original == null' + description: 'Renames the original `message` field to `event.original` to store a copy of the original message. The `event.original` field is not touched if the document already has one; it may happen when Logstash sends the document.' + - remove: + field: message + ignore_missing: true + if: 'ctx.event?.original != null' + description: 'The `message` field is no longer required if the document has an `event.original` field.' + - json: + field: event.original + target_field: json + - drop: + if: ctx.json?.response != null && ctx.json.response.isEmpty() + - fingerprint: + fields: + - json.Event.Attribute.uuid + - json.Event.Object.Attribute.uuid + target_field: "_id" + ignore_missing: true + - rename: + field: json.Event + target_field: misp.event + ignore_missing: true + - set: + field: threat.indicator.provider + value: misp + if: ctx.misp?.event?.Orgc?.local != 'false' + - set: + field: threat.indicator.provider + value: "{{misp.event.Orgc.name}}" + if: ctx.misp?.event?.Orgc?.local == 'false' + ignore_empty_value: true + + # Removing fields not needed anymore, either because its copied somewhere else, or is not relevant to this event + - remove: + field: + - misp.event.ShadowAttribute + - misp.event.RelatedEvent + - misp.event.Galaxy + - misp.event.Attribute.Galaxy + - misp.event.Attribute.ShadowAttribute + - misp.event.EventReport + - misp.event.Object.Attribute.Galaxy + - misp.event.Object.Attribute.ShadowAttribute + - misp.event.Object.ObjectReference + ignore_missing: true + - remove: + field: + - misp.event.Attribute + ignore_missing: true + if: 'ctx.misp?.event?.Attribute != null && ctx.misp.event.Attribute.size() == 0' + - remove: + field: + - misp.event.Object + ignore_missing: true + if: 'ctx.misp?.event?.Object != null && ctx.misp.event.Object.size() == 0' + - date: + field: misp.event.timestamp + tag: date_event_timestamp + formats: + - UNIX + if: ctx.misp?.event?.timestamp != null + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + if: ctx.misp?.event?.publish_timestamp != null + field: misp.event.publish_timestamp + target_field: misp.event.publish_timestamp + formats: + - UNIX + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: misp.event.Attribute + target_field: misp.attribute + ignore_missing: true + - rename: + field: misp.event.Object + target_field: misp.object + ignore_missing: true + - rename: + field: misp.object.Attribute + target_field: misp.object.attribute + ignore_missing: true + - rename: + field: misp.object.meta-category + target_field: misp.object.meta_category + ignore_missing: true + - rename: + field: misp.event.Orgc + target_field: misp.orgc + ignore_missing: true + - rename: + field: misp.event.Org + target_field: misp.org + ignore_missing: true + - rename: + field: misp.event.Tag + target_field: misp.tag + ignore_missing: true + + # # Dance around issue of not being able to split the document into two. + # # Make the Object.Attribute field primary if it exists, but keep the + # # outer Attribute as context. + - rename: + field: misp.attribute + target_field: misp.context.attribute + ignore_missing: true + if: ctx.misp?.object != null + - rename: + field: misp.object.attribute + target_field: misp.attribute + ignore_missing: true + if: ctx.misp?.object != null + + - date: + field: misp.attribute.timestamp + target_field: misp.attribute.timestamp + tag: date_attribute_timestamp + formats: + - UNIX + if: ctx.misp?.attribute?.timestamp != null + on_failure: + - remove: + field: misp.attribute.timestamp + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: misp.context.attribute.timestamp + target_field: misp.context.attribute.timestamp + tag: date_context_attribute_timestamp + formats: + - UNIX + if: ctx.misp?.context?.attribute?.timestamp != null + on_failure: + - remove: + field: misp.context.attribute.timestamp + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: misp.object.timestamp + target_field: misp.object.timestamp + tag: date_object_timestamp + formats: + - UNIX + if: ctx.misp?.object?.timestamp != null + on_failure: + - remove: + field: misp.object.timestamp + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + ##################### + # Threat ECS Fields # + ##################### + - set: + field: threat.feed.name + value: "MISP" + - rename: + field: misp.attribute.first_seen + target_field: threat.indicator.first_seen + ignore_missing: true + - rename: + field: misp.attribute.last_seen + target_field: threat.indicator.last_seen + ignore_missing: true + - convert: + field: misp.event.analysis + type: long + target_field: threat.indicator.scanner_stats + ignore_missing: true + - convert: + field: misp.event.threat_level_id + type: long + ignore_missing: true + + ## File/Hash indicator operations + - set: + field: threat.indicator.type + value: file + if: "ctx.misp?.attribute?.type != null && (['md5', 'impfuzzy', 'imphash', 'pehash', 'sha1', 'sha224', 'sha256', 'sha3-224', 'sha3-256', 'sha3-384', 'sha3-512', 'sha384', 'sha512', 'sha512/224', 'sha512/256', 'ssdeep', 'tlsh', 'vhash'].contains(ctx.misp.attribute.type) || ctx.misp.attribute.type.startsWith('filename'))" + - rename: + field: misp.attribute.value + target_field: "threat.indicator.file.hash.{{misp.attribute.type}}" + ignore_missing: true + if: "ctx.threat?.indicator?.type == 'file' && ctx.misp?.attribute?.type != null && !ctx.misp.attribute.type.startsWith('filename')" + - rename: + field: misp.attribute.value + target_field: threat.indicator.file.name + ignore_missing: true + if: "ctx.threat?.indicator?.type == 'file' && ctx.misp?.attribute?.type == 'filename'" + - grok: + field: misp.attribute.type + patterns: + - "%{WORD}\\|%{WORD:_tmp.hashtype}" + ignore_missing: true + if: ctx.misp?.attribute?.type != null && ctx.misp.attribute.type.startsWith('filename|') + - grok: + field: misp.attribute.value + patterns: + - "%{DATA:threat.indicator.file.name}\\|%{GREEDYDATA:_tmp.hashvalue}" + ignore_missing: true + if: ctx.misp?.attribute?.type != null && ctx.misp.attribute.type.startsWith('filename|') + - set: + field: threat.indicator.file.hash.{{_tmp.hashtype}} + value: "{{_tmp.hashvalue}}" + if: "ctx.misp?.attribute?.type != null && ctx.misp.attribute.type.startsWith('filename|') && ctx._tmp?.hashvalue != null && ctx._tmp.hashtype != null" + + ## URL/URI indicator operations + - set: + field: threat.indicator.type + value: url + if: "ctx.misp?.attribute?.type != null && ['url', 'link', 'uri'].contains(ctx.misp.attribute.type)" + - uri_parts: + field: misp.attribute.value + target_field: threat.indicator.url + keep_original: true + remove_if_successful: true + if: ctx.threat?.indicator?.type == 'url' && ctx.misp?.attribute?.type != 'uri' + - set: + field: threat.indicator.url.full + value: "{{{threat.indicator.url.original}}}" + ignore_empty_value: true + if: "ctx.threat?.indicator?.type == 'url' && ctx.misp?.attribute?.type != 'uri'" + + ## Regkey indicator operations + - set: + field: threat.indicator.type + value: windows-registry-key + if: "ctx.misp?.attribute?.type != null && ctx.misp.attribute.type.startsWith('regkey')" + - rename: + field: misp.attribute.value + target_field: threat.indicator.registry.key + ignore_missing: true + if: "ctx.threat?.indicator?.type == 'windows-registry-key' && ctx.misp?.attribute?.type == 'regkey'" + - grok: + field: misp.attribute.value + patterns: + - "%{DATA:threat.indicator.registry.key}\\|%{DATA:threat.indicator.registry.value}" + ignore_missing: true + if: "ctx.misp?.attribute?.type == 'regkey|value'" + + ## AS indicator operations + - set: + field: threat.indicator.type + value: autonomous-system + if: "ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type == 'AS'" + - convert: + field: misp.attribute.value + type: long + target_field: threat.indicator.as.number + ignore_missing: true + if: ctx.threat?.indicator?.type == 'autonomous-system' + + ## Domain/IP/Port indicator operations + - set: + field: threat.indicator.type + value: domain-name + if: "ctx.misp?.attribute?.type != null && (ctx.misp.attribute.type == 'hostname' || ctx.misp.attribute.type.startsWith('domain'))" + - set: + field: threat.indicator.type + value: ipv4-addr + if: "ctx.misp?.attribute?.type != null && ['ip-src', 'ip-src|port', 'ip-dst', 'ip-dst|port'].contains(ctx.misp.attribute.type)" + - rename: + field: misp.attribute.value + target_field: threat.indicator.url.domain + ignore_missing: true + if: "ctx.misp?.attribute?.type != null && ctx.threat?.indicator?.type == 'domain-name' && ctx.misp.attribute.type != 'domain|ip' && ctx.threat?.indicator?.url?.domain == null" + - rename: + field: misp.attribute.value + target_field: threat.indicator.ip + ignore_missing: true + if: "ctx.misp?.attribute?.type != null && ctx.threat?.indicator?.type == 'ipv4-addr' && !['domain|ip', 'ip-src|port', 'ip-dst|port'].contains(ctx.misp.attribute.type)" + - grok: + field: misp.attribute.value + patterns: + - "%{DATA:threat.indicator.url.domain}\\|%{IP:threat.indicator.ip}" + ignore_missing: true + if: ctx.misp?.attribute?.type == 'domain|ip' && ctx.threat?.indicator?.url?.domain == null + - grok: + field: misp.attribute.value + patterns: + - "%{IP:threat.indicator.ip}\\|%{NUMBER:threat.indicator.port}" + ignore_missing: true + if: "['ip-src|port', 'ip-dst|port'].contains(ctx.misp?.attribute?.type)" + + ## Email indicator operations + # Currently this ignores email-message, except setting the type it will leave the rest of the fields under misp. + - set: + field: threat.indicator.type + value: email-addr + if: "ctx.misp?.attribute?.type != null && ['email-dst', 'email-src'].contains(ctx.misp.attribute.type)" + - set: + field: threat.indicator.type + value: email-message + if: "ctx.misp?.attribute?.type != null && ctx.misp.attribute.type.startsWith('email') && !['email-dst', 'email-src'].contains(ctx.misp.attribute.type)" + - rename: + field: misp.attribute.value + target_field: threat.indicator.email.address + ignore_missing: true + if: ctx.threat?.indicator?.type == 'email-addr' + - rename: + field: misp.event.event_creator_email + target_field: user.email + ignore_missing: true + - append: + field: user.roles + value: "reporting_user" + if: ctx.user?.email != null + + ## MAC Address indicator operations + - set: + field: threat.indicator.type + value: mac-addr + if: "ctx.misp?.attribute?.type != null && ['mac-address', 'mac-eui-64'].contains(ctx.misp.attribute.type)" + - rename: + field: misp.attribute.value + target_field: threat.indicator.mac + ignore_missing: true + if: ctx.threat?.indicator?.type == 'mac-addr' + + ################### + # Tags ECS fields # + ################### + # Stripping special characters from tags + - script: + lang: painless + if: ctx.misp?.tag != null + source: | + def tags = ctx.misp.tag.stream() + .map(t -> t.name.replace('\\', '').replace('"', '')) + .collect(Collectors.toList()); + def tlpTags = tags.stream() + .filter(t -> t.startsWith('tlp:')) + .map(t -> t.replace('tlp:', '').toUpperCase()) + .collect(Collectors.toList()); + + if (ctx.tags == null) { + ctx.tags = new ArrayList(); + } + ctx.tags.addAll(tags); + ctx.threat.indicator.marking = [ 'tlp': tlpTags ]; + + ################# + # Convert types # + ################# + - convert: + field: misp.event.distribution + type: long + ignore_missing: true + - convert: + field: misp.object.distribution + type: long + ignore_missing: true + - convert: + field: misp.context.event.distribution + type: long + ignore_missing: true + - convert: + field: misp.attribute.distribution + type: long + ignore_missing: true + - convert: + field: misp.context.attribute.distribution + type: long + ignore_missing: true + - convert: + field: threat.indicator.port + type: long + ignore_missing: true + - convert: + field: misp.event.attribute_count + type: long + ignore_missing: true + + ###################### + # Cleanup processors # + ###################### + - script: + lang: painless + if: ctx.misp != null + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + } + handleMap(ctx); + # Removing fields not needed anymore, either because its copied somewhere else, or is not relevant to this event + - remove: + field: event.original + if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true + - remove: + field: + - misp.attribute.value + ignore_missing: true + if: ctx.threat?.indicator?.type != null + - remove: + field: + - misp.event.Attribute.timestamp + - misp.event.timestamp + - misp.tag + - misp.org + - misp.event.analysis + - _tmp + - json + ignore_missing: true + +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat/fields/agent.yml b/test/packages/with-logstash/ti_misp/data_stream/threat/fields/agent.yml new file mode 100644 index 0000000000..da4e652c53 --- /dev/null +++ b/test/packages/with-logstash/ti_misp/data_stream/threat/fields/agent.yml @@ -0,0 +1,198 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat/fields/base-fields.yml b/test/packages/with-logstash/ti_misp/data_stream/threat/fields/base-fields.yml new file mode 100644 index 0000000000..337375ce74 --- /dev/null +++ b/test/packages/with-logstash/ti_misp/data_stream/threat/fields/base-fields.yml @@ -0,0 +1,28 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset name. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: ti_misp +- name: event.dataset + type: constant_keyword + description: Event dataset + value: ti_misp.threat +- name: threat.feed.name + type: constant_keyword + description: Display friendly feed name. + value: MISP +- name: threat.feed.dashboard_id + type: constant_keyword + description: Dashboard ID used for Kibana CTI UI + value: ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294 +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat/fields/beats.yml b/test/packages/with-logstash/ti_misp/data_stream/threat/fields/beats.yml new file mode 100644 index 0000000000..cb44bb2944 --- /dev/null +++ b/test/packages/with-logstash/ti_misp/data_stream/threat/fields/beats.yml @@ -0,0 +1,12 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. +- name: log.flags + type: keyword + description: Flags for the log file. +- name: log.offset + type: long + description: Offset of the entry in the log file. +- name: log.file.path + type: keyword + description: Path to the log file. diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat/fields/ecs.yml b/test/packages/with-logstash/ti_misp/data_stream/threat/fields/ecs.yml new file mode 100644 index 0000000000..31cdaf0274 --- /dev/null +++ b/test/packages/with-logstash/ti_misp/data_stream/threat/fields/ecs.yml @@ -0,0 +1,76 @@ +- external: ecs + name: ecs.version +- external: ecs + name: message +- external: ecs + name: tags +- external: ecs + name: error.message +- external: ecs + name: event.category +- external: ecs + name: event.ingested +- external: ecs + name: event.created +- external: ecs + name: event.kind +- external: ecs + name: event.type +- external: ecs + name: event.original +- external: ecs + name: user.email +- external: ecs + name: user.roles +- external: ecs + name: threat.indicator.first_seen +- external: ecs + name: threat.indicator.last_seen +- external: ecs + name: threat.indicator.scanner_stats +- external: ecs + name: threat.indicator.type +- external: ecs + name: threat.indicator.ip +- external: ecs + name: threat.indicator.url.domain +- external: ecs + name: threat.indicator.url.full +- external: ecs + name: threat.indicator.url.extension +- external: ecs + name: threat.indicator.url.original +- external: ecs + name: threat.indicator.url.path +- external: ecs + name: threat.indicator.url.port +- external: ecs + name: threat.indicator.url.scheme +- external: ecs + name: threat.indicator.url.query +- external: ecs + name: threat.indicator.email.address +- external: ecs + name: threat.indicator.provider +- external: ecs + name: threat.indicator.as.number +- external: ecs + name: threat.indicator.file.hash.md5 +- external: ecs + name: threat.indicator.file.hash.sha1 +- external: ecs + name: threat.indicator.file.hash.sha256 +- external: ecs + name: threat.indicator.marking.tlp +- external: ecs + name: threat.indicator.port +- external: ecs + name: threat.indicator.registry.key +- external: ecs + name: threat.indicator.registry.value +- external: ecs + name: threat.indicator.file.size +- external: ecs + name: threat.indicator.file.type +- external: ecs + name: threat.indicator.file.name diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat/fields/fields.yml b/test/packages/with-logstash/ti_misp/data_stream/threat/fields/fields.yml new file mode 100644 index 0000000000..fada5dd0ac --- /dev/null +++ b/test/packages/with-logstash/ti_misp/data_stream/threat/fields/fields.yml @@ -0,0 +1,383 @@ +- name: misp + type: group + description: > + Fields for MISP indicators + + fields: + - name: event + type: group + description: > + Fields for MISP event + + fields: + - name: id + type: keyword + description: > + Attribute ID. + + - name: orgc_id + type: keyword + description: > + Organization Community ID of the event. + + - name: org_id + type: keyword + description: > + Organization ID of the event. + + - name: threat_level_id + type: long + description: > + Threat level from 5 to 1, where 1 is the most critical. + + - name: info + type: keyword + description: > + Additional text or information related to the event. + + - name: published + type: boolean + description: > + When the event was published. + + - name: uuid + type: keyword + description: > + The UUID of the event object. + + - name: date + type: date + description: > + The date of when the event object was created. + + - name: attribute_count + type: long + description: > + How many attributes are included in a single event object. + + - name: timestamp + type: date + description: > + The timestamp of when the event object was created. + + - name: distribution + type: long + description: > + Distribution type related to MISP. + + - name: proposal_email_lock + type: boolean + description: > + Settings configured on MISP for email lock on this event object. + + - name: locked + type: boolean + description: > + If the current MISP event object is locked or not. + + - name: publish_timestamp + type: date + description: > + At what time the event object was published + + - name: sharing_group_id + type: keyword + description: > + The ID of the grouped events or sources of the event. + + - name: disable_correlation + type: boolean + description: > + If correlation is disabled on the MISP event object. + + - name: extends_uuid + type: keyword + description: > + The UUID of the event object it might extend. + + - name: org.id + type: keyword + description: > + The organization ID related to the event object. + + - name: org.name + type: keyword + description: > + The organization name related to the event object. + + - name: org.uuid + type: keyword + description: > + The UUID of the organization related to the event object. + + - name: org.local + type: boolean + description: > + If the event object is local or from a remote source. + + - name: orgc.id + type: keyword + description: > + The Organization Community ID in which the event object was reported from. + + - name: orgc.name + type: keyword + description: > + The Organization Community name in which the event object was reported from. + + - name: orgc.uuid + type: keyword + description: > + The Organization Community UUID in which the event object was reported from. + + - name: orgc.local + type: boolean + description: > + If the Organization Community was local or synced from a remote source. + + - name: attribute.id + type: keyword + description: > + The ID of the attribute related to the event object. + + - name: attribute.type + type: keyword + description: > + The type of the attribute related to the event object. For example email, ipv4, sha1 and such. + + - name: attribute.category + type: keyword + description: > + The category of the attribute related to the event object. For example "Network Activity". + + - name: attribute.to_ids + type: boolean + description: > + If the attribute should be automatically synced with an IDS. + + - name: attribute.uuid + type: keyword + description: > + The UUID of the attribute related to the event. + + - name: attribute.event_id + type: keyword + description: > + The local event ID of the attribute related to the event. + + - name: attribute.distribution + type: long + description: > + How the attribute has been distributed, represented by integer numbers. + + - name: attribute.timestamp + type: date + description: > + The timestamp in which the attribute was attached to the event object. + + - name: attribute.comment + type: keyword + description: > + Comments made to the attribute itself. + + - name: attribute.sharing_group_id + type: keyword + description: > + The group ID of the sharing group related to the specific attribute. + + - name: attribute.deleted + type: boolean + description: > + If the attribute has been removed from the event object. + + - name: attribute.disable_correlation + type: boolean + description: > + If correlation has been enabled on the attribute related to the event object. + + - name: attribute.object_id + type: keyword + description: > + The ID of the Object in which the attribute is attached. + + - name: attribute.object_relation + type: keyword + description: > + The type of relation the attribute has with the event object itself. + + - name: attribute.value + type: keyword + description: > + The value of the attribute, depending on the type like "url, sha1, email-src". + + - name: context.attribute.id + type: keyword + description: > + The ID of the secondary attribute related to the event object. + + - name: context.attribute.type + type: keyword + description: > + The type of the secondary attribute related to the event object. For example email, ipv4, sha1 and such. + + - name: context.attribute.category + type: keyword + description: > + The category of the secondary attribute related to the event object. For example "Network Activity". + + - name: context.attribute.to_ids + type: boolean + description: > + If the secondary attribute should be automatically synced with an IDS. + + - name: context.attribute.uuid + type: keyword + description: > + The UUID of the secondary attribute related to the event. + + - name: context.attribute.event_id + type: keyword + description: > + The local event ID of the secondary attribute related to the event. + + - name: context.attribute.distribution + type: long + description: > + How the secondary attribute has been distributed, represented by integer numbers. + + - name: context.attribute.timestamp + type: date + description: > + The timestamp in which the secondary attribute was attached to the event object. + + - name: context.attribute.comment + type: keyword + description: > + Comments made to the secondary attribute itself. + + - name: context.attribute.sharing_group_id + type: keyword + description: > + The group ID of the sharing group related to the specific secondary attribute. + + - name: context.attribute.deleted + type: boolean + description: > + If the secondary attribute has been removed from the event object. + + - name: context.attribute.disable_correlation + type: boolean + description: > + If correlation has been enabled on the secondary attribute related to the event object. + + - name: context.attribute.object_id + type: keyword + description: > + The ID of the Object in which the secondary attribute is attached. + + - name: context.attribute.object_relation + type: keyword + description: > + The type of relation the secondary attribute has with the event object itself. + + - name: context.attribute.value + type: keyword + description: > + The value of the attribute, depending on the type like "url, sha1, email-src". + + - name: context.attribute.first_seen + type: keyword + description: > + The first time the indicator was seen. + + - name: context.attribute.last_seen + type: keyword + description: > + The last time the indicator was seen. + + - name: object + type: group + description: > + Fields for MISP Object + + fields: + - name: id + type: keyword + description: > + The ID of the object in which the attribute is attached. + + - name: name + type: keyword + description: > + The name of the object in which the attribute is attached. + + - name: meta_category + type: keyword + description: > + The meta-category of the object in which the attribute is attached. + + - name: description + type: keyword + description: > + The description of the object in which the attribute is attached. + + - name: template_uuid + type: keyword + description: > + The UUID of attribute object's template. + + - name: template_version + type: keyword + description: > + The version of attribute object's template. + + - name: event_id + type: keyword + description: > + The event ID of the object in which the attribute is attached. + + - name: uuid + type: keyword + description: > + The UUID of the object in which the attribute is attached. + + - name: timestamp + type: date + description: > + The timestamp when the object was created. + + - name: distribution + type: long + description: > + The distribution of the object indicating who can see the object. + + - name: sharing_group_id + type: keyword + description: > + The ID of the Sharing Group the object is shared with. + + - name: comment + type: keyword + description: > + Comments made to the object in which the attribute is attached. + + - name: deleted + type: boolean + description: > + If the object in which the attribute is attached has been removed. + + - name: first_seen + type: keyword + description: > + The first time the indicator of the object was seen. + + - name: last_seen + type: keyword + description: > + The last time the indicator of the object was seen. + + - name: attribute + type: flattened + description: > + List of attributes of the object in which the attribute is attached. + diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat/manifest.yml b/test/packages/with-logstash/ti_misp/data_stream/threat/manifest.yml new file mode 100644 index 0000000000..063d60bab6 --- /dev/null +++ b/test/packages/with-logstash/ti_misp/data_stream/threat/manifest.yml @@ -0,0 +1,112 @@ +type: logs +title: MISP +streams: + - input: httpjson + vars: + - name: url + type: text + title: MISP URL + multi: false + required: true + show_user: true + default: https://mispserver.com + description: The URL or hostname of the MISP instance. + - name: api_token + type: password + title: MISP API Token + multi: false + required: true + show_user: true + description: The API token used to access the MISP instance. + - name: initial_interval + type: text + title: Initial interval + multi: false + required: true + show_user: true + default: 120h + description: How far back to look for indicators the first time the agent is started. Supported units for this parameter are h/m/s. + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h. + multi: false + required: false + show_user: false + default: 30s + - name: filters + type: yaml + title: MISP API Filters + multi: false + required: false + show_user: false + default: | + #type: + # OR: + # - ip-src + # - ip-dst + #tags: + # NOT: + # - tlp-red + description: Filters documented at [MISP API Documentation](https://www.circl.lu/doc/misp/automation/#search) is supported. + - name: proxy_url + type: text + title: Proxy URL + multi: false + required: false + show_user: false + description: URL to proxy connections in the form of http\[s\]://:@: + - name: interval + type: text + title: Interval + description: Interval at which the logs will be pulled. Supported units for this parameter are h/m/s. + multi: false + required: true + show_user: true + default: 10m + - name: ssl + type: yaml + title: SSL + multi: false + required: false + show_user: false + default: | + #verification_mode: none + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - misp-threat + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - name: enable_request_tracer + type: bool + title: Enable request tracing + multi: false + required: false + show_user: false + description: > + The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details. + + template_path: httpjson.yml.hbs + title: MISP + description: Collect indicators from the MISP API diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat/sample_event.json b/test/packages/with-logstash/ti_misp/data_stream/threat/sample_event.json new file mode 100644 index 0000000000..271f4a099f --- /dev/null +++ b/test/packages/with-logstash/ti_misp/data_stream/threat/sample_event.json @@ -0,0 +1,106 @@ +{ + "@timestamp": "2014-10-06T07:12:57.000Z", + "agent": { + "ephemeral_id": "24754055-2625-498c-8778-8566dbc8a368", + "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.9.1" + }, + "data_stream": { + "dataset": "ti_misp.threat", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.9.0" + }, + "elastic_agent": { + "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "snapshot": false, + "version": "8.9.1" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "threat" + ], + "created": "2023-08-28T15:43:07.992Z", + "dataset": "ti_misp.threat", + "ingested": "2023-08-28T15:43:09Z", + "kind": "enrichment", + "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Network activity\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"22\",\"first_seen\":null,\"id\":\"12394\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1462454963\",\"to_ids\":false,\"type\":\"domain\",\"uuid\":\"572b4ab3-1af0-4d91-9cd5-07a1c0a8ab16\",\"value\":\"whatsapp.com\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":[],\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\"},\"Orgc\":{\"id\":\"2\",\"local\":false,\"name\":\"CthulhuSPRL.be\",\"uuid\":\"55f6ea5f-fd34-43b8-ac1d-40cb950d210f\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"Tag\":[{\"colour\":\"#004646\",\"exportable\":true,\"hide_tag\":false,\"id\":\"1\",\"is_custom_galaxy\":false,\"is_galaxy\":false,\"local\":0,\"name\":\"type:OSINT\",\"numerical_value\":null,\"user_id\":\"0\"},{\"colour\":\"#339900\",\"exportable\":true,\"hide_tag\":false,\"id\":\"2\",\"is_custom_galaxy\":false,\"is_galaxy\":false,\"local\":0,\"name\":\"tlp:green\",\"numerical_value\":null,\"user_id\":\"0\"}],\"analysis\":\"2\",\"attribute_count\":\"29\",\"date\":\"2014-10-03\",\"disable_correlation\":false,\"distribution\":\"3\",\"extends_uuid\":\"\",\"id\":\"2\",\"info\":\"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"2\",\"proposal_email_lock\":false,\"publish_timestamp\":\"1610622316\",\"published\":true,\"sharing_group_id\":\"0\",\"threat_level_id\":\"2\",\"timestamp\":\"1412579577\",\"uuid\":\"54323f2c-e50c-4268-896c-4867950d210b\"}}", + "type": [ + "indicator" + ] + }, + "input": { + "type": "httpjson" + }, + "misp": { + "attribute": { + "category": "Network activity", + "comment": "", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "22", + "id": "12394", + "object_id": "0", + "sharing_group_id": "0", + "timestamp": "2016-05-05T13:29:23.000Z", + "to_ids": false, + "type": "domain", + "uuid": "572b4ab3-1af0-4d91-9cd5-07a1c0a8ab16" + }, + "event": { + "attribute_count": 29, + "date": "2014-10-03", + "disable_correlation": false, + "distribution": 3, + "extends_uuid": "", + "id": "2", + "info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", + "locked": false, + "org_id": "1", + "orgc_id": "2", + "proposal_email_lock": false, + "publish_timestamp": "2021-01-14T11:05:16.000Z", + "published": true, + "sharing_group_id": "0", + "threat_level_id": 2, + "uuid": "54323f2c-e50c-4268-896c-4867950d210b" + }, + "orgc": { + "id": "2", + "local": false, + "name": "CthulhuSPRL.be", + "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" + } + }, + "tags": [ + "preserve_original_event", + "forwarded", + "misp-threat", + "type:OSINT", + "tlp:green" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "marking": { + "tlp": [ + "GREEN" + ] + }, + "provider": "misp", + "scanner_stats": 2, + "type": "domain-name", + "url": { + "domain": "whatsapp.com" + } + } + } +} \ No newline at end of file diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/_dev/test/pipeline/test-common-config.yml b/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 0000000000..4da2264165 --- /dev/null +++ b/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_original_event diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/_dev/test/pipeline/test-misp-sample-ndjson.log b/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/_dev/test/pipeline/test-misp-sample-ndjson.log new file mode 100644 index 0000000000..c6ce1d24c8 --- /dev/null +++ b/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/_dev/test/pipeline/test-misp-sample-ndjson.log @@ -0,0 +1,12 @@ +{"id":"12345","event_id":"12345","object_id":"12345","object_relation":"sensor","category":"Internal reference","type":"md5","value":"127.0.0.1","to_ids":true,"uuid":"c99506a6-1255-4b71-afa5-7b8ba48c3b1b","timestamp":"1617875568","distribution":"0","sharing_group_id":"1","comment":"logged source ip","deleted":false,"disable_correlation":false,"first_seen":"1581984000000000","last_seen":"1581984000000000","data":"string","event_uuid":"c99506a6-1255-4b71-afa5-7b8ba48c3b1b","decay_score":[{"score":10.5,"base_score":80,"decayed":true,"DecayingModel":{"id":"12345","name":"Phishing model"}}],"Event":{"id":"12345","org_id":"12345","distribution":"0","info":"logged source ip","orgc_id":"12345","uuid":"c99506a6-1255-4b71-afa5-7b8ba48c3b1b","date":"1991-01-15","published":false,"analysis":"0","attribute_count":"321","timestamp":"1617875568","sharing_group_id":"1","proposal_email_lock":true,"locked":true,"threat_level_id":"1","publish_timestamp":"1617875568","sighting_timestamp":"1617875568","disable_correlation":false,"extends_uuid":"c99506a6-1255-4b71-afa5-7b8ba48c3b1b","event_creator_email":"user@example.com"},"Object":{"id":"12345","name":"ail-leak","meta-category":"string","description":"string","template_uuid":"c99506a6-1255-4b71-afa5-7b8ba48c3b1b","template_version":"1","event_id":"12345","uuid":"c99506a6-1255-4b71-afa5-7b8ba48c3b1b","timestamp":"1617875568","distribution":"0","sharing_group_id":"1","comment":"string","deleted":true,"first_seen":"1581984000000000","last_seen":"1581984000000000","Attribute":[{"id":"12345","event_id":"12345","object_id":"12345","object_relation":"sensor","category":"Internal reference","type":"md5","value":"127.0.0.1","to_ids":true,"uuid":"c99506a6-1255-4b71-afa5-7b8ba48c3b1b","timestamp":"1617875568","distribution":"0","sharing_group_id":"1","comment":"logged source ip","deleted":false,"disable_correlation":false,"first_seen":"1581984000000000","last_seen":"1581984000000000"}]},"Tag":[{"id":"12345","name":"tlp:white","colour":"#ffffff","exportable":true,"org_id":"12345","user_id":"12345","hide_tag":false,"numerical_value":"12345","is_galaxy":true,"is_custom_galaxy":true,"inherited":1}]} +{"id":"1","event_id":"1","object_id":"0","object_relation":null,"category":"External analysis","type":"link","to_ids":false,"uuid":"542e4cbd-ee78-4a57-bfb8-1fda950d210b","timestamp":"1412320445","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"http://labs.opendns.com/2014/10/02/opendns-and-bash/","Event":{"org_id":"1","distribution":"3","id":"1","info":"OSINT ShellShock scanning IPs from OpenDNS","orgc_id":"2","uuid":"542e4c9c-cadc-4f8f-bb11-6d13950d210b"}} +{"id":"4","event_id":"1","object_id":"0","object_relation":null,"category":"External analysis","type":"text","to_ids":false,"uuid":"542e4ccc-b8fc-44af-959d-6ead950d210b","timestamp":"1412320460","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"Shellshock","Event":{"org_id":"1","distribution":"3","id":"1","info":"OSINT ShellShock scanning IPs from OpenDNS","orgc_id":"2","uuid":"542e4c9c-cadc-4f8f-bb11-6d13950d210b"}} +{"id":"5","event_id":"1","object_id":"0","object_relation":null,"category":"External analysis","type":"comment","to_ids":false,"uuid":"542e4ce7-6120-41c0-8793-e90e950d210b","timestamp":"1412320487","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"Data encoded by David André","Event":{"org_id":"1","distribution":"3","id":"1","info":"OSINT ShellShock scanning IPs from OpenDNS","orgc_id":"2","uuid":"542e4c9c-cadc-4f8f-bb11-6d13950d210b"}} +{"id":"6","event_id":"1","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-src","to_ids":true,"uuid":"542e4cfe-21ac-46a7-9d82-06b3950d210b","timestamp":"1412320510","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"81.2.69.193","Event":{"org_id":"1","distribution":"3","id":"1","info":"OSINT ShellShock scanning IPs from OpenDNS","orgc_id":"2","uuid":"542e4c9c-cadc-4f8f-bb11-6d13950d210b"}} +{"id":"10","event_id":"1","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-src","to_ids":true,"uuid":"542e4cfe-7a98-4c98-a862-06b3950d210b","timestamp":"1412320510","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"81.2.69.145","Event":{"org_id":"1","distribution":"3","id":"1","info":"OSINT ShellShock scanning IPs from OpenDNS","orgc_id":"2","uuid":"542e4c9c-cadc-4f8f-bb11-6d13950d210b"}} +{"id":"35744","event_id":"29","object_id":"0","object_relation":null,"category":"Artifacts dropped","type":"filename|sha256","to_ids":true,"uuid":"54744143-fc88-4508-bf10-458d950d210b","timestamp":"1416905027","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"7553d4a5914af58b23a9e0ce6a262cd230ed8bb2c30da3d42d26b295f9144ab7|7553d4a5914af58b23a9e0ce6a262cd230ed8bb2c30da3d42d26b295f9144ab7","Event":{"org_id":"1","distribution":"3","id":"29","info":"Secret Malware in European Union Attack Linked to U.S. and British Intelligence article by the Intercept","orgc_id":"2","uuid":"54743eaf-e1c0-47a0-b838-49d7950d210b"}} +{"id":"35961","event_id":"31","object_id":"0","object_relation":null,"category":"Artifacts dropped","type":"filename|md5","to_ids":true,"uuid":"56c6482a-ceb8-4402-8480-599f950d210f","timestamp":"1455835178","distribution":"5","sharing_group_id":"0","comment":"Automatically added (via VirusShare_1f36209c1763d31af06a66f866dbb7b6|01764db54541ced228a598fe020b3971f5ef82d7)","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"VirusShare_1f36209c1763d31af06a66f866dbb7b6|1f36209c1763d31af06a66f866dbb7b6","Event":{"org_id":"1","distribution":"3","id":"31","info":"OSINT Regin samples shared by VirusShare","orgc_id":"2","uuid":"5476c461-5930-4ddb-8d40-d4ad950d210b"}} +{"id":"37412","event_id":"44","object_id":"0","object_relation":null,"category":"Artifacts dropped","type":"regkey","to_ids":true,"uuid":"54cb360e-7f00-4311-aed4-4505950d210b","timestamp":"1422603790","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\f0xy","Event":{"org_id":"1","distribution":"3","id":"44","info":"OSINT New 'f0xy' malware is intelligent - employs cunning stealth & trickery from Websense","orgc_id":"2","uuid":"54cb3580-cde4-4b39-bf8c-443f950d210b"}} +{"id":"40687","event_id":"53","object_id":"0","object_relation":null,"category":"Network activity","type":"AS","to_ids":false,"uuid":"54f86825-c80c-47cf-a795-48c1950d210b","timestamp":"1425565733","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"48031","Event":{"org_id":"1","distribution":"3","id":"53","info":"OSINT Analysis of malcious CHM file by OpenDNS","orgc_id":"2","uuid":"54f8662f-c7f0-4f59-a42a-a9a9950d210b"}} +{"id":"1084","event_id":"2","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"54324081-3308-4f1f-8674-4953950d210b","timestamp":"1412579457","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"89.160.20.129","Event":{"org_id":"1","distribution":"3","id":"2","info":"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks","orgc_id":"2","uuid":"54323f2c-e50c-4268-896c-4867950d210b"}} +{"id":"24749","event_id":"10","object_id":"0","object_relation":null,"category":"Network activity","type":"email-dst","to_ids":true,"uuid":"544ff4c2-914c-482f-aa29-4c43950d210b","timestamp":"1414526146","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"lisa.cuddy@wind0ws.kz","Event":{"org_id":"1","distribution":"3","id":"10","info":"OSINT APT28: A Window into Russia’s Cyber Espionage Operations? blog post by FireEye","orgc_id":"2","uuid":"544fee45-f108-4fa6-ace9-3989950d210b"}} diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/_dev/test/pipeline/test-misp-sample-ndjson.log-expected.json b/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/_dev/test/pipeline/test-misp-sample-ndjson.log-expected.json new file mode 100644 index 0000000000..fe390ee961 --- /dev/null +++ b/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/_dev/test/pipeline/test-misp-sample-ndjson.log-expected.json @@ -0,0 +1,767 @@ +{ + "expected": [ + { + "@timestamp": "2021-04-08T09:52:48.000Z", + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\":\"12345\",\"event_id\":\"12345\",\"object_id\":\"12345\",\"object_relation\":\"sensor\",\"category\":\"Internal reference\",\"type\":\"md5\",\"value\":\"127.0.0.1\",\"to_ids\":true,\"uuid\":\"c99506a6-1255-4b71-afa5-7b8ba48c3b1b\",\"timestamp\":\"1617875568\",\"distribution\":\"0\",\"sharing_group_id\":\"1\",\"comment\":\"logged source ip\",\"deleted\":false,\"disable_correlation\":false,\"first_seen\":\"1581984000000000\",\"last_seen\":\"1581984000000000\",\"data\":\"string\",\"event_uuid\":\"c99506a6-1255-4b71-afa5-7b8ba48c3b1b\",\"decay_score\":[{\"score\":10.5,\"base_score\":80,\"decayed\":true,\"DecayingModel\":{\"id\":\"12345\",\"name\":\"Phishing model\"}}],\"Event\":{\"id\":\"12345\",\"org_id\":\"12345\",\"distribution\":\"0\",\"info\":\"logged source ip\",\"orgc_id\":\"12345\",\"uuid\":\"c99506a6-1255-4b71-afa5-7b8ba48c3b1b\",\"date\":\"1991-01-15\",\"published\":false,\"analysis\":\"0\",\"attribute_count\":\"321\",\"timestamp\":\"1617875568\",\"sharing_group_id\":\"1\",\"proposal_email_lock\":true,\"locked\":true,\"threat_level_id\":\"1\",\"publish_timestamp\":\"1617875568\",\"sighting_timestamp\":\"1617875568\",\"disable_correlation\":false,\"extends_uuid\":\"c99506a6-1255-4b71-afa5-7b8ba48c3b1b\",\"event_creator_email\":\"user@example.com\"},\"Object\":{\"id\":\"12345\",\"name\":\"ail-leak\",\"meta-category\":\"string\",\"description\":\"string\",\"template_uuid\":\"c99506a6-1255-4b71-afa5-7b8ba48c3b1b\",\"template_version\":\"1\",\"event_id\":\"12345\",\"uuid\":\"c99506a6-1255-4b71-afa5-7b8ba48c3b1b\",\"timestamp\":\"1617875568\",\"distribution\":\"0\",\"sharing_group_id\":\"1\",\"comment\":\"string\",\"deleted\":true,\"first_seen\":\"1581984000000000\",\"last_seen\":\"1581984000000000\",\"Attribute\":[{\"id\":\"12345\",\"event_id\":\"12345\",\"object_id\":\"12345\",\"object_relation\":\"sensor\",\"category\":\"Internal reference\",\"type\":\"md5\",\"value\":\"127.0.0.1\",\"to_ids\":true,\"uuid\":\"c99506a6-1255-4b71-afa5-7b8ba48c3b1b\",\"timestamp\":\"1617875568\",\"distribution\":\"0\",\"sharing_group_id\":\"1\",\"comment\":\"logged source ip\",\"deleted\":false,\"disable_correlation\":false,\"first_seen\":\"1581984000000000\",\"last_seen\":\"1581984000000000\"}]},\"Tag\":[{\"id\":\"12345\",\"name\":\"tlp:white\",\"colour\":\"#ffffff\",\"exportable\":true,\"org_id\":\"12345\",\"user_id\":\"12345\",\"hide_tag\":false,\"numerical_value\":\"12345\",\"is_galaxy\":true,\"is_custom_galaxy\":true,\"inherited\":1}]}", + "type": [ + "indicator" + ] + }, + "misp": { + "attribute": { + "category": "Internal reference", + "comment": "logged source ip", + "data": "string", + "decay_score": [ + { + "base_score": 80, + "decayed": true, + "decaying_model": { + "id": "12345", + "name": "Phishing model" + }, + "score": 10.5 + } + ], + "deleted": false, + "disable_correlation": false, + "distribution": 0, + "event_id": "12345", + "event_uuid": "c99506a6-1255-4b71-afa5-7b8ba48c3b1b", + "id": "12345", + "object_id": "12345", + "object_relation": "sensor", + "sharing_group_id": "1", + "to_ids": true, + "type": "md5", + "uuid": "c99506a6-1255-4b71-afa5-7b8ba48c3b1b" + }, + "event": { + "attribute_count": 321, + "date": "1991-01-15", + "disable_correlation": false, + "distribution": 0, + "extends_uuid": "c99506a6-1255-4b71-afa5-7b8ba48c3b1b", + "id": "12345", + "info": "logged source ip", + "locked": true, + "orgc_id": "12345", + "proposal_email_lock": true, + "publish_timestamp": "2021-04-08T09:52:48.000Z", + "published": false, + "sharing_group_id": "1", + "sighting_timestamp": "2021-04-08T09:52:48.000Z", + "threat_level_id": 1, + "timestamp": "2021-04-08T09:52:48.000Z", + "uuid": "c99506a6-1255-4b71-afa5-7b8ba48c3b1b" + }, + "object": { + "attribute": [ + { + "category": "Internal reference", + "comment": "logged source ip", + "deleted": false, + "disable_correlation": false, + "distribution": "0", + "event_id": "12345", + "first_seen": "1581984000000000", + "id": "12345", + "last_seen": "1581984000000000", + "object_id": "12345", + "object_relation": "sensor", + "sharing_group_id": "1", + "timestamp": "2021-04-08T09:52:48.000Z", + "to_ids": true, + "type": "md5", + "uuid": "c99506a6-1255-4b71-afa5-7b8ba48c3b1b", + "value": "127.0.0.1" + } + ], + "comment": "string", + "deleted": true, + "description": "string", + "distribution": 0, + "event_id": "12345", + "first_seen": "1581984000000000", + "id": "12345", + "last_seen": "1581984000000000", + "meta_category": "string", + "name": "ail-leak", + "sharing_group_id": "1", + "template_uuid": "c99506a6-1255-4b71-afa5-7b8ba48c3b1b", + "template_version": "1", + "timestamp": "2021-04-08T09:52:48.000Z", + "uuid": "c99506a6-1255-4b71-afa5-7b8ba48c3b1b" + } + }, + "organization": { + "id": "12345" + }, + "tags": [ + "preserve_original_event", + "tlp:white" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "file": { + "hash": { + "md5": "127.0.0.1" + } + }, + "first_seen": "1581984000000000", + "last_seen": "1581984000000000", + "marking": { + "tlp": [ + "WHITE" + ] + }, + "provider": "misp", + "scanner_stats": 0, + "type": "file" + } + }, + "user": { + "email": "user@example.com", + "roles": [ + "reporting_user" + ] + } + }, + { + "@timestamp": "2014-10-03T07:14:05.000Z", + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\":\"1\",\"event_id\":\"1\",\"object_id\":\"0\",\"object_relation\":null,\"category\":\"External analysis\",\"type\":\"link\",\"to_ids\":false,\"uuid\":\"542e4cbd-ee78-4a57-bfb8-1fda950d210b\",\"timestamp\":\"1412320445\",\"distribution\":\"5\",\"sharing_group_id\":\"0\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"first_seen\":null,\"last_seen\":null,\"value\":\"http://labs.opendns.com/2014/10/02/opendns-and-bash/\",\"Event\":{\"org_id\":\"1\",\"distribution\":\"3\",\"id\":\"1\",\"info\":\"OSINT ShellShock scanning IPs from OpenDNS\",\"orgc_id\":\"2\",\"uuid\":\"542e4c9c-cadc-4f8f-bb11-6d13950d210b\"}}", + "type": [ + "indicator" + ] + }, + "misp": { + "attribute": { + "category": "External analysis", + "comment": "", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "1", + "id": "1", + "object_id": "0", + "sharing_group_id": "0", + "to_ids": false, + "type": "link", + "uuid": "542e4cbd-ee78-4a57-bfb8-1fda950d210b" + }, + "event": { + "distribution": 3, + "id": "1", + "info": "OSINT ShellShock scanning IPs from OpenDNS", + "orgc_id": "2", + "uuid": "542e4c9c-cadc-4f8f-bb11-6d13950d210b" + } + }, + "organization": { + "id": "1" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "provider": "misp", + "type": "url", + "url": { + "domain": "labs.opendns.com", + "full": "http://labs.opendns.com/2014/10/02/opendns-and-bash/", + "original": "http://labs.opendns.com/2014/10/02/opendns-and-bash/", + "path": "/2014/10/02/opendns-and-bash/", + "scheme": "http" + } + } + } + }, + { + "@timestamp": "2014-10-03T07:14:20.000Z", + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\":\"4\",\"event_id\":\"1\",\"object_id\":\"0\",\"object_relation\":null,\"category\":\"External analysis\",\"type\":\"text\",\"to_ids\":false,\"uuid\":\"542e4ccc-b8fc-44af-959d-6ead950d210b\",\"timestamp\":\"1412320460\",\"distribution\":\"5\",\"sharing_group_id\":\"0\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"first_seen\":null,\"last_seen\":null,\"value\":\"Shellshock\",\"Event\":{\"org_id\":\"1\",\"distribution\":\"3\",\"id\":\"1\",\"info\":\"OSINT ShellShock scanning IPs from OpenDNS\",\"orgc_id\":\"2\",\"uuid\":\"542e4c9c-cadc-4f8f-bb11-6d13950d210b\"}}", + "type": [ + "indicator" + ] + }, + "misp": { + "attribute": { + "category": "External analysis", + "comment": "", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "1", + "id": "4", + "object_id": "0", + "sharing_group_id": "0", + "to_ids": false, + "type": "text", + "uuid": "542e4ccc-b8fc-44af-959d-6ead950d210b", + "value": "Shellshock" + }, + "event": { + "distribution": 3, + "id": "1", + "info": "OSINT ShellShock scanning IPs from OpenDNS", + "orgc_id": "2", + "uuid": "542e4c9c-cadc-4f8f-bb11-6d13950d210b" + } + }, + "organization": { + "id": "1" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "provider": "misp" + } + } + }, + { + "@timestamp": "2014-10-03T07:14:47.000Z", + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\":\"5\",\"event_id\":\"1\",\"object_id\":\"0\",\"object_relation\":null,\"category\":\"External analysis\",\"type\":\"comment\",\"to_ids\":false,\"uuid\":\"542e4ce7-6120-41c0-8793-e90e950d210b\",\"timestamp\":\"1412320487\",\"distribution\":\"5\",\"sharing_group_id\":\"0\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"first_seen\":null,\"last_seen\":null,\"value\":\"Data encoded by David André\",\"Event\":{\"org_id\":\"1\",\"distribution\":\"3\",\"id\":\"1\",\"info\":\"OSINT ShellShock scanning IPs from OpenDNS\",\"orgc_id\":\"2\",\"uuid\":\"542e4c9c-cadc-4f8f-bb11-6d13950d210b\"}}", + "type": [ + "indicator" + ] + }, + "misp": { + "attribute": { + "category": "External analysis", + "comment": "", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "1", + "id": "5", + "object_id": "0", + "sharing_group_id": "0", + "to_ids": false, + "type": "comment", + "uuid": "542e4ce7-6120-41c0-8793-e90e950d210b", + "value": "Data encoded by David André" + }, + "event": { + "distribution": 3, + "id": "1", + "info": "OSINT ShellShock scanning IPs from OpenDNS", + "orgc_id": "2", + "uuid": "542e4c9c-cadc-4f8f-bb11-6d13950d210b" + } + }, + "organization": { + "id": "1" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "provider": "misp" + } + } + }, + { + "@timestamp": "2014-10-03T07:15:10.000Z", + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\":\"6\",\"event_id\":\"1\",\"object_id\":\"0\",\"object_relation\":null,\"category\":\"Network activity\",\"type\":\"ip-src\",\"to_ids\":true,\"uuid\":\"542e4cfe-21ac-46a7-9d82-06b3950d210b\",\"timestamp\":\"1412320510\",\"distribution\":\"5\",\"sharing_group_id\":\"0\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"first_seen\":null,\"last_seen\":null,\"value\":\"81.2.69.193\",\"Event\":{\"org_id\":\"1\",\"distribution\":\"3\",\"id\":\"1\",\"info\":\"OSINT ShellShock scanning IPs from OpenDNS\",\"orgc_id\":\"2\",\"uuid\":\"542e4c9c-cadc-4f8f-bb11-6d13950d210b\"}}", + "type": [ + "indicator" + ] + }, + "misp": { + "attribute": { + "category": "Network activity", + "comment": "", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "1", + "id": "6", + "object_id": "0", + "sharing_group_id": "0", + "to_ids": true, + "type": "ip-src", + "uuid": "542e4cfe-21ac-46a7-9d82-06b3950d210b" + }, + "event": { + "distribution": 3, + "id": "1", + "info": "OSINT ShellShock scanning IPs from OpenDNS", + "orgc_id": "2", + "uuid": "542e4c9c-cadc-4f8f-bb11-6d13950d210b" + } + }, + "organization": { + "id": "1" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "ip": "81.2.69.193", + "provider": "misp", + "type": "ipv4-addr" + } + } + }, + { + "@timestamp": "2014-10-03T07:15:10.000Z", + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\":\"10\",\"event_id\":\"1\",\"object_id\":\"0\",\"object_relation\":null,\"category\":\"Network activity\",\"type\":\"ip-src\",\"to_ids\":true,\"uuid\":\"542e4cfe-7a98-4c98-a862-06b3950d210b\",\"timestamp\":\"1412320510\",\"distribution\":\"5\",\"sharing_group_id\":\"0\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"first_seen\":null,\"last_seen\":null,\"value\":\"81.2.69.145\",\"Event\":{\"org_id\":\"1\",\"distribution\":\"3\",\"id\":\"1\",\"info\":\"OSINT ShellShock scanning IPs from OpenDNS\",\"orgc_id\":\"2\",\"uuid\":\"542e4c9c-cadc-4f8f-bb11-6d13950d210b\"}}", + "type": [ + "indicator" + ] + }, + "misp": { + "attribute": { + "category": "Network activity", + "comment": "", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "1", + "id": "10", + "object_id": "0", + "sharing_group_id": "0", + "to_ids": true, + "type": "ip-src", + "uuid": "542e4cfe-7a98-4c98-a862-06b3950d210b" + }, + "event": { + "distribution": 3, + "id": "1", + "info": "OSINT ShellShock scanning IPs from OpenDNS", + "orgc_id": "2", + "uuid": "542e4c9c-cadc-4f8f-bb11-6d13950d210b" + } + }, + "organization": { + "id": "1" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "ip": "81.2.69.145", + "provider": "misp", + "type": "ipv4-addr" + } + } + }, + { + "@timestamp": "2014-11-25T08:43:47.000Z", + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\":\"35744\",\"event_id\":\"29\",\"object_id\":\"0\",\"object_relation\":null,\"category\":\"Artifacts dropped\",\"type\":\"filename|sha256\",\"to_ids\":true,\"uuid\":\"54744143-fc88-4508-bf10-458d950d210b\",\"timestamp\":\"1416905027\",\"distribution\":\"5\",\"sharing_group_id\":\"0\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"first_seen\":null,\"last_seen\":null,\"value\":\"7553d4a5914af58b23a9e0ce6a262cd230ed8bb2c30da3d42d26b295f9144ab7|7553d4a5914af58b23a9e0ce6a262cd230ed8bb2c30da3d42d26b295f9144ab7\",\"Event\":{\"org_id\":\"1\",\"distribution\":\"3\",\"id\":\"29\",\"info\":\"Secret Malware in European Union Attack Linked to U.S. and British Intelligence article by the Intercept\",\"orgc_id\":\"2\",\"uuid\":\"54743eaf-e1c0-47a0-b838-49d7950d210b\"}}", + "type": [ + "indicator" + ] + }, + "misp": { + "attribute": { + "category": "Artifacts dropped", + "comment": "", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "29", + "id": "35744", + "object_id": "0", + "sharing_group_id": "0", + "to_ids": true, + "type": "filename|sha256", + "uuid": "54744143-fc88-4508-bf10-458d950d210b" + }, + "event": { + "distribution": 3, + "id": "29", + "info": "Secret Malware in European Union Attack Linked to U.S. and British Intelligence article by the Intercept", + "orgc_id": "2", + "uuid": "54743eaf-e1c0-47a0-b838-49d7950d210b" + } + }, + "organization": { + "id": "1" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "file": { + "hash": { + "sha256": "7553d4a5914af58b23a9e0ce6a262cd230ed8bb2c30da3d42d26b295f9144ab7" + }, + "name": "7553d4a5914af58b23a9e0ce6a262cd230ed8bb2c30da3d42d26b295f9144ab7" + }, + "provider": "misp", + "type": "file" + } + } + }, + { + "@timestamp": "2016-02-18T22:39:38.000Z", + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\":\"35961\",\"event_id\":\"31\",\"object_id\":\"0\",\"object_relation\":null,\"category\":\"Artifacts dropped\",\"type\":\"filename|md5\",\"to_ids\":true,\"uuid\":\"56c6482a-ceb8-4402-8480-599f950d210f\",\"timestamp\":\"1455835178\",\"distribution\":\"5\",\"sharing_group_id\":\"0\",\"comment\":\"Automatically added (via VirusShare_1f36209c1763d31af06a66f866dbb7b6|01764db54541ced228a598fe020b3971f5ef82d7)\",\"deleted\":false,\"disable_correlation\":false,\"first_seen\":null,\"last_seen\":null,\"value\":\"VirusShare_1f36209c1763d31af06a66f866dbb7b6|1f36209c1763d31af06a66f866dbb7b6\",\"Event\":{\"org_id\":\"1\",\"distribution\":\"3\",\"id\":\"31\",\"info\":\"OSINT Regin samples shared by VirusShare\",\"orgc_id\":\"2\",\"uuid\":\"5476c461-5930-4ddb-8d40-d4ad950d210b\"}}", + "type": [ + "indicator" + ] + }, + "misp": { + "attribute": { + "category": "Artifacts dropped", + "comment": "Automatically added (via VirusShare_1f36209c1763d31af06a66f866dbb7b6|01764db54541ced228a598fe020b3971f5ef82d7)", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "31", + "id": "35961", + "object_id": "0", + "sharing_group_id": "0", + "to_ids": true, + "type": "filename|md5", + "uuid": "56c6482a-ceb8-4402-8480-599f950d210f" + }, + "event": { + "distribution": 3, + "id": "31", + "info": "OSINT Regin samples shared by VirusShare", + "orgc_id": "2", + "uuid": "5476c461-5930-4ddb-8d40-d4ad950d210b" + } + }, + "organization": { + "id": "1" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "file": { + "hash": { + "md5": "1f36209c1763d31af06a66f866dbb7b6" + }, + "name": "VirusShare_1f36209c1763d31af06a66f866dbb7b6" + }, + "provider": "misp", + "type": "file" + } + } + }, + { + "@timestamp": "2015-01-30T07:43:10.000Z", + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\":\"37412\",\"event_id\":\"44\",\"object_id\":\"0\",\"object_relation\":null,\"category\":\"Artifacts dropped\",\"type\":\"regkey\",\"to_ids\":true,\"uuid\":\"54cb360e-7f00-4311-aed4-4505950d210b\",\"timestamp\":\"1422603790\",\"distribution\":\"5\",\"sharing_group_id\":\"0\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"first_seen\":null,\"last_seen\":null,\"value\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\f0xy\",\"Event\":{\"org_id\":\"1\",\"distribution\":\"3\",\"id\":\"44\",\"info\":\"OSINT New 'f0xy' malware is intelligent - employs cunning stealth \u0026 trickery from Websense\",\"orgc_id\":\"2\",\"uuid\":\"54cb3580-cde4-4b39-bf8c-443f950d210b\"}}", + "type": [ + "indicator" + ] + }, + "misp": { + "attribute": { + "category": "Artifacts dropped", + "comment": "", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "44", + "id": "37412", + "object_id": "0", + "sharing_group_id": "0", + "to_ids": true, + "type": "regkey", + "uuid": "54cb360e-7f00-4311-aed4-4505950d210b" + }, + "event": { + "distribution": 3, + "id": "44", + "info": "OSINT New 'f0xy' malware is intelligent - employs cunning stealth \u0026 trickery from Websense", + "orgc_id": "2", + "uuid": "54cb3580-cde4-4b39-bf8c-443f950d210b" + } + }, + "organization": { + "id": "1" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "provider": "misp", + "registry": { + "key": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\f0xy" + }, + "type": "windows-registry-key" + } + } + }, + { + "@timestamp": "2015-03-05T14:28:53.000Z", + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\":\"40687\",\"event_id\":\"53\",\"object_id\":\"0\",\"object_relation\":null,\"category\":\"Network activity\",\"type\":\"AS\",\"to_ids\":false,\"uuid\":\"54f86825-c80c-47cf-a795-48c1950d210b\",\"timestamp\":\"1425565733\",\"distribution\":\"5\",\"sharing_group_id\":\"0\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"first_seen\":null,\"last_seen\":null,\"value\":\"48031\",\"Event\":{\"org_id\":\"1\",\"distribution\":\"3\",\"id\":\"53\",\"info\":\"OSINT Analysis of malcious CHM file by OpenDNS\",\"orgc_id\":\"2\",\"uuid\":\"54f8662f-c7f0-4f59-a42a-a9a9950d210b\"}}", + "type": [ + "indicator" + ] + }, + "misp": { + "attribute": { + "category": "Network activity", + "comment": "", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "53", + "id": "40687", + "object_id": "0", + "sharing_group_id": "0", + "to_ids": false, + "type": "AS", + "uuid": "54f86825-c80c-47cf-a795-48c1950d210b" + }, + "event": { + "distribution": 3, + "id": "53", + "info": "OSINT Analysis of malcious CHM file by OpenDNS", + "orgc_id": "2", + "uuid": "54f8662f-c7f0-4f59-a42a-a9a9950d210b" + } + }, + "organization": { + "id": "1" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "as": { + "number": 48031 + }, + "provider": "misp", + "type": "autonomous-system" + } + } + }, + { + "@timestamp": "2014-10-06T07:10:57.000Z", + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\":\"1084\",\"event_id\":\"2\",\"object_id\":\"0\",\"object_relation\":null,\"category\":\"Network activity\",\"type\":\"ip-dst\",\"to_ids\":true,\"uuid\":\"54324081-3308-4f1f-8674-4953950d210b\",\"timestamp\":\"1412579457\",\"distribution\":\"5\",\"sharing_group_id\":\"0\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"first_seen\":null,\"last_seen\":null,\"value\":\"89.160.20.129\",\"Event\":{\"org_id\":\"1\",\"distribution\":\"3\",\"id\":\"2\",\"info\":\"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks\",\"orgc_id\":\"2\",\"uuid\":\"54323f2c-e50c-4268-896c-4867950d210b\"}}", + "type": [ + "indicator" + ] + }, + "misp": { + "attribute": { + "category": "Network activity", + "comment": "", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "2", + "id": "1084", + "object_id": "0", + "sharing_group_id": "0", + "to_ids": true, + "type": "ip-dst", + "uuid": "54324081-3308-4f1f-8674-4953950d210b" + }, + "event": { + "distribution": 3, + "id": "2", + "info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", + "orgc_id": "2", + "uuid": "54323f2c-e50c-4268-896c-4867950d210b" + } + }, + "organization": { + "id": "1" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "ip": "89.160.20.129", + "provider": "misp", + "type": "ipv4-addr" + } + } + }, + { + "@timestamp": "2014-10-28T19:55:46.000Z", + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\":\"24749\",\"event_id\":\"10\",\"object_id\":\"0\",\"object_relation\":null,\"category\":\"Network activity\",\"type\":\"email-dst\",\"to_ids\":true,\"uuid\":\"544ff4c2-914c-482f-aa29-4c43950d210b\",\"timestamp\":\"1414526146\",\"distribution\":\"5\",\"sharing_group_id\":\"0\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"first_seen\":null,\"last_seen\":null,\"value\":\"lisa.cuddy@wind0ws.kz\",\"Event\":{\"org_id\":\"1\",\"distribution\":\"3\",\"id\":\"10\",\"info\":\"OSINT APT28: A Window into Russia’s Cyber Espionage Operations? blog post by FireEye\",\"orgc_id\":\"2\",\"uuid\":\"544fee45-f108-4fa6-ace9-3989950d210b\"}}", + "type": [ + "indicator" + ] + }, + "misp": { + "attribute": { + "category": "Network activity", + "comment": "", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "10", + "id": "24749", + "object_id": "0", + "sharing_group_id": "0", + "to_ids": true, + "type": "email-dst", + "uuid": "544ff4c2-914c-482f-aa29-4c43950d210b" + }, + "event": { + "distribution": 3, + "id": "10", + "info": "OSINT APT28: A Window into Russia’s Cyber Espionage Operations? blog post by FireEye", + "orgc_id": "2", + "uuid": "544fee45-f108-4fa6-ace9-3989950d210b" + } + }, + "organization": { + "id": "1" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "email": { + "address": "lisa.cuddy@wind0ws.kz" + }, + "provider": "misp", + "type": "email-addr" + } + } + } + ] +} \ No newline at end of file diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/_dev/test/system/test-default-config.yml b/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/_dev/test/system/test-default-config.yml new file mode 100644 index 0000000000..d1cb754892 --- /dev/null +++ b/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/_dev/test/system/test-default-config.yml @@ -0,0 +1,13 @@ +input: httpjson +service: misp +vars: ~ +data_stream: + vars: + preserve_original_event: true + url: http://{{Hostname}}:{{Port}} + api_token: test + interval: 10m + initial_interval: 10m + enable_request_tracer: true +assert: + hit_count: 5 diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/agent/stream/httpjson.yml.hbs b/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/agent/stream/httpjson.yml.hbs new file mode 100644 index 0000000000..b85674c2b3 --- /dev/null +++ b/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/agent/stream/httpjson.yml.hbs @@ -0,0 +1,80 @@ +config_version: "2" +interval: {{interval}} +request.method: "POST" +{{#if enable_request_tracer}} +request.tracer.filename: "../../logs/httpjson/http-request-trace-*.ndjson" +{{/if}} +{{#if url}} +request.url: {{url}}/attributes/restSearch +{{/if}} +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +request.timeout: {{http_client_timeout}} +{{/if}} +{{#if proxy_url}} +request.proxy_url: {{proxy_url}} +{{/if}} +request.body: +{{#if filters}} + {{filters}} +{{/if}} +request.transforms: +{{#if api_token}} +- set: + target: header.Authorization + value: {{api_token}} +{{/if}} +- set: + target: body.page + value: 1 +- set: + target: body.limit + value: 10 +- set: + target: body.returnFormat + value: json +- set: + target: body.timestamp + value: '[[.cursor.timestamp.Unix]]' + default: '[[ (now (parseDuration "-{{initial_interval}}")).Unix ]]' +- set: + # Ignored by MISP, set as a workaround to make it available in response.pagination. + target: url.params.timestamp + value: '[[.body.timestamp]]' + +response.split: + target: body.response.Attribute + ignore_empty_value: true + keep_parent: false +response.request_body_on_pagination: true +response.pagination: +- set: + target: body.page + # Add 2 because the httpjson page counter is zero-based while the MISP page parameter starts at 1. + value: '[[if (ne (len .last_response.body.response.Attribute) 0)]][[add .last_response.page 2]][[end]]' + fail_on_template_error: true +- set: + target: body.timestamp + value: '[[.last_response.url.params.Get "timestamp"]]' +- set: + target: url.params.timestamp + value: '[[.last_response.url.params.Get "timestamp"]]' +cursor: + timestamp: + value: '[[.last_event.Attribute.timestamp]]' +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/elasticsearch/ingest_pipeline/default.yml b/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 0000000000..a74f23de39 --- /dev/null +++ b/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,447 @@ +--- +description: Pipeline for parsing MISP Threat Intel +processors: + #################### + # Event ECS fields # + #################### + - set: + field: ecs.version + value: '8.9.0' + - set: + field: event.kind + value: enrichment + - set: + field: event.category + value: [threat] + - set: + field: event.type + value: [indicator] + + ###################### + # General ECS fields # + ###################### + - rename: + field: message + target_field: event.original + ignore_missing: true + if: 'ctx.event?.original == null' + description: 'Renames the original `message` field to `event.original` to store a copy of the original message. The `event.original` field is not touched if the document already has one; it may happen when Logstash sends the document.' + - remove: + field: message + ignore_missing: true + if: 'ctx.event?.original != null' + description: 'The `message` field is no longer required if the document has an `event.original` field.' + - json: + field: event.original + target_field: misp.attribute + - fingerprint: + fields: + - misp.attribute.uuid + - misp.attribute.Event.uuid + target_field: "_id" + ignore_missing: true + - set: + field: threat.indicator.provider + value: misp + - date: + if: ctx.misp?.attribute?.timestamp != null + field: misp.attribute.timestamp + formats: + - UNIX + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: misp.attribute.Event + target_field: misp.event + ignore_missing: true + - rename: + field: misp.attribute.Tag + target_field: misp.tag + ignore_missing: true + - rename: + field: misp.attribute.Object + target_field: misp.object + ignore_missing: true + - rename: + field: misp.object.Attribute + target_field: misp.object.attribute + ignore_missing: true + - rename: + field: misp.object.meta-category + target_field: misp.object.meta_category + ignore_missing: true + - foreach: + if: ctx.misp?.attribute?.decay_score != null + field: misp.attribute.decay_score + processor: + rename: + ignore_missing: true + field: _ingest._value.DecayingModel + target_field: _ingest._value.decaying_model + - date: + if: ctx.misp?.event?.timestamp != null + field: misp.event.timestamp + target_field: misp.event.timestamp + formats: + - UNIX + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - date: + if: ctx.misp?.event?.publish_timestamp != null + field: misp.event.publish_timestamp + target_field: misp.event.publish_timestamp + formats: + - UNIX + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - date: + if: ctx.misp?.event?.sighting_timestamp != null + field: misp.event.sighting_timestamp + target_field: misp.event.sighting_timestamp + formats: + - UNIX + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - date: + if: ctx.misp?.object?.timestamp != null + field: misp.object.timestamp + target_field: misp.object.timestamp + formats: + - UNIX + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + + ##################### + # Threat ECS Fields # + ##################### + - set: + field: threat.feed.name + value: "MISP" + - rename: + field: misp.attribute.first_seen + target_field: threat.indicator.first_seen + ignore_missing: true + - rename: + field: misp.attribute.last_seen + target_field: threat.indicator.last_seen + ignore_missing: true + - convert: + field: misp.event.analysis + type: long + target_field: threat.indicator.scanner_stats + ignore_missing: true + + ## File/Hash indicator operations + - set: + field: threat.indicator.type + value: file + if: "ctx.misp?.attribute?.type != null && (['md5', 'impfuzzy', 'imphash', 'pehash', 'sha1', 'sha224', 'sha256', 'sha3-224', 'sha3-256', 'sha3-384', 'sha3-512', 'sha384', 'sha512', 'sha512/224', 'sha512/256', 'ssdeep', 'tlsh', 'vhash'].contains(ctx.misp.attribute.type) || ctx.misp.attribute.type.startsWith('filename'))" + - rename: + field: misp.attribute.value + target_field: "threat.indicator.file.hash.{{misp.attribute.type}}" + ignore_missing: true + if: "ctx.threat?.indicator?.type == 'file' && ctx.misp?.attribute?.type != null && !ctx.misp.attribute.type.startsWith('filename')" + - rename: + field: misp.attribute.value + target_field: threat.indicator.file.name + ignore_missing: true + if: "ctx.threat?.indicator?.type == 'file' && ctx.misp?.attribute?.type == 'filename'" + - grok: + field: misp.attribute.type + patterns: + - "%{WORD}\\|%{WORD:_tmp.hashtype}" + ignore_missing: true + if: ctx.misp?.attribute?.type != null && ctx.misp.attribute.type.startsWith('filename|') + - grok: + field: misp.attribute.value + patterns: + - "%{DATA:threat.indicator.file.name}\\|%{GREEDYDATA:_tmp.hashvalue}" + ignore_missing: true + if: ctx.misp?.attribute?.type != null && ctx.misp.attribute.type.startsWith('filename|') + - set: + field: threat.indicator.file.hash.{{_tmp.hashtype}} + value: "{{_tmp.hashvalue}}" + if: "ctx.misp?.attribute?.type != null && ctx.misp.attribute.type.startsWith('filename|') && ctx._tmp?.hashvalue != null && ctx._tmp.hashtype != null" + + ## URL/URI indicator operations + - set: + field: threat.indicator.type + value: url + if: "ctx.misp?.attribute?.type != null && ['url', 'link', 'uri'].contains(ctx.misp.attribute.type)" + - uri_parts: + field: misp.attribute.value + target_field: threat.indicator.url + keep_original: true + remove_if_successful: true + if: ctx.threat?.indicator?.type == 'url' && ctx.misp?.attribute?.type != 'uri' + - set: + field: threat.indicator.url.full + value: "{{{threat.indicator.url.original}}}" + ignore_empty_value: true + if: "ctx.threat?.indicator?.type == 'url' && ctx.misp?.attribute?.type != 'uri'" + + ## Regkey indicator operations + - set: + field: threat.indicator.type + value: windows-registry-key + if: "ctx.misp?.attribute?.type != null && ctx.misp.attribute.type.startsWith('regkey')" + - rename: + field: misp.attribute.value + target_field: threat.indicator.registry.key + ignore_missing: true + if: "ctx.threat?.indicator?.type == 'windows-registry-key' && ctx.misp?.attribute?.type == 'regkey'" + - grok: + field: misp.attribute.value + patterns: + - "%{DATA:threat.indicator.registry.key}\\|%{DATA:threat.indicator.registry.value}" + ignore_missing: true + if: "ctx.misp?.attribute?.type == 'regkey|value'" + + ## AS indicator operations + - set: + field: threat.indicator.type + value: autonomous-system + if: "ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type == 'AS'" + - convert: + field: misp.attribute.value + type: long + target_field: threat.indicator.as.number + ignore_missing: true + if: ctx.threat?.indicator?.type == 'autonomous-system' + + ## Domain/IP/Port indicator operations + - set: + field: threat.indicator.type + value: domain-name + if: "ctx.misp?.attribute?.type != null && (ctx.misp.attribute.type == 'hostname' || ctx.misp.attribute.type.startsWith('domain'))" + - set: + field: threat.indicator.type + value: ipv4-addr + if: "ctx.misp?.attribute?.type != null && ['ip-src', 'ip-src|port', 'ip-dst', 'ip-dst|port'].contains(ctx.misp.attribute.type)" + - rename: + field: misp.attribute.value + target_field: threat.indicator.url.domain + ignore_missing: true + if: "ctx.misp?.attribute?.type != null && ctx.threat?.indicator?.type == 'domain-name' && ctx.misp.attribute.type != 'domain|ip' && ctx.threat?.indicator?.url?.domain == null" + - rename: + field: misp.attribute.value + target_field: threat.indicator.ip + ignore_missing: true + if: "ctx.misp?.attribute?.type != null && ctx.threat?.indicator?.type == 'ipv4-addr' && !['domain|ip', 'ip-src|port', 'ip-dst|port'].contains(ctx.misp.attribute.type)" + - grok: + field: misp.attribute.value + patterns: + - "%{DATA:threat.indicator.url.domain}\\|%{IP:threat.indicator.ip}" + ignore_missing: true + if: ctx.misp?.attribute?.type == 'domain|ip' && ctx.threat?.indicator?.url?.domain == null + - grok: + field: misp.attribute.value + patterns: + - "%{IP:threat.indicator.ip}\\|%{NUMBER:threat.indicator.port}" + ignore_missing: true + if: "['ip-src|port', 'ip-dst|port'].contains(ctx.misp?.attribute?.type)" + + ## Email indicator operations + # Currently this ignores email-message, except setting the type it will leave the rest of the fields under misp. + - set: + field: threat.indicator.type + value: email-addr + if: "ctx.misp?.attribute?.type != null && ['email-dst', 'email-src'].contains(ctx.misp.attribute.type)" + - set: + field: threat.indicator.type + value: email-message + if: "ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type.startsWith('email') && !['email-dst', 'email-src'].contains(ctx.misp.attribute.type)" + - rename: + field: misp.attribute.value + target_field: threat.indicator.email.address + ignore_missing: true + if: ctx.threat?.indicator?.type == 'email-addr' + - rename: + field: misp.event.event_creator_email + target_field: user.email + ignore_missing: true + - append: + field: user.roles + value: "reporting_user" + if: ctx?.user?.email != null + + ## MAC Address indicator operations + - set: + field: threat.indicator.type + value: mac-addr + if: "ctx.misp?.attribute?.type != null && ['mac-address', 'mac-eui-64'].contains(ctx.misp.attribute.type)" + - rename: + field: misp.attribute.value + target_field: threat.indicator.mac + ignore_missing: true + if: ctx.threat?.indicator?.type == 'mac-addr' + + ## Artifact indicator operations + - set: + field: threat.indicator.type + value: artifact + if: "ctx.misp?.attribute?.type == 'mime-type'" + + ## Mutex indicator operations + - set: + field: threat.indicator.type + value: mutex + if: "ctx.misp?.attribute?.type == 'mutex'" + + ## Software indicator operations + - set: + field: threat.indicator.type + value: software + if: "ctx.misp?.attribute?.type == 'cpe'" + + ################### + # Tags ECS fields # + ################### + # Stripping special characters from tags + - script: + lang: painless + if: ctx.misp?.tag != null + source: | + def tags = ctx.misp.tag.stream() + .map(t -> t.name.replace('\\', '').replace('"', '')) + .collect(Collectors.toList()); + def tlpTags = tags.stream() + .filter(t -> t.startsWith('tlp:')) + .map(t -> t.replace('tlp:', '').toUpperCase()) + .collect(Collectors.toList()); + + ctx.temp_tags = tags; + ctx.threat.indicator.marking = [ 'tlp': tlpTags ]; + - foreach: + field: temp_tags + processor: + append: + field: tags + value: '{{{_ingest._value}}}' + allow_duplicates: false + if: ctx.temp_tags != null + + ##################### + # Organization ECS Fields # + ##################### + - rename: + field: misp.event.org_id + target_field: organization.id + ignore_missing: true + + ################# + # Convert types # + ################# + - convert: + field: misp.attribute.distribution + type: long + ignore_missing: true + - convert: + field: misp.object.distribution + type: long + ignore_missing: true + - convert: + field: misp.event.distribution + type: long + ignore_missing: true + - convert: + field: threat.indicator.port + type: long + ignore_missing: true + - convert: + field: misp.event.attribute_count + type: long + ignore_missing: true + - convert: + field: misp.event.threat_level_id + type: long + ignore_missing: true + + - foreach: + if: ctx.misp?.object?.attribute != null + field: misp.object.attribute + processor: + append: + field: debug_timestamp + value: '{{{_ingest._value.timestamp}}}' + if: ctx._ingest?._value != null + + - foreach: + if: ctx.misp?.object?.attribute != null + field: misp.object.attribute + processor: + date: + field: _ingest._value.timestamp + target_field: _ingest._value.timestamp + tag: date_object_attribute_timestamp + formats: + - UNIX + ignore_failure: true + + ###################### + # Cleanup processors # + ###################### + - script: + lang: painless + if: ctx?.misp != null + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + } + handleMap(ctx); + # Removing fields not needed anymore, either because its copied somewhere else, or is not relevant to this event + - remove: + field: event.original + if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true + - remove: + field: + - misp.attribute.value + ignore_missing: true + # Special-case email subject as it is potentially useful, but cannot yet be + # put in threat.indicator.email.subject as it is not an ECS field. + if: ctx.threat?.indicator?.type != null && ctx.misp?.attribute?.type != "email-subject" + - remove: + field: + - temp_tags + - misp.attribute.timestamp + - misp.tag + - misp.event.analysis + - _tmp + - json + ignore_missing: true + +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/fields/agent.yml b/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/fields/agent.yml new file mode 100644 index 0000000000..da4e652c53 --- /dev/null +++ b/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/fields/agent.yml @@ -0,0 +1,198 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/fields/base-fields.yml b/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/fields/base-fields.yml new file mode 100644 index 0000000000..10b0f62a86 --- /dev/null +++ b/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/fields/base-fields.yml @@ -0,0 +1,28 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset name. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: ti_misp +- name: event.dataset + type: constant_keyword + description: Event dataset + value: ti_misp.threat_attributes +- name: threat.feed.name + type: constant_keyword + description: Display friendly feed name + value: MISP +- name: threat.feed.dashboard_id + type: constant_keyword + description: Dashboard ID used for Kibana CTI UI + value: ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294 +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/fields/beats.yml b/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/fields/beats.yml new file mode 100644 index 0000000000..cb44bb2944 --- /dev/null +++ b/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/fields/beats.yml @@ -0,0 +1,12 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. +- name: log.flags + type: keyword + description: Flags for the log file. +- name: log.offset + type: long + description: Offset of the entry in the log file. +- name: log.file.path + type: keyword + description: Path to the log file. diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/fields/ecs.yml b/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/fields/ecs.yml new file mode 100644 index 0000000000..b2389c5017 --- /dev/null +++ b/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/fields/ecs.yml @@ -0,0 +1,78 @@ +- external: ecs + name: ecs.version +- external: ecs + name: message +- external: ecs + name: tags +- external: ecs + name: error.message +- external: ecs + name: event.category +- external: ecs + name: event.ingested +- external: ecs + name: event.created +- external: ecs + name: event.kind +- external: ecs + name: event.type +- external: ecs + name: event.original +- external: ecs + name: user.email +- external: ecs + name: user.roles +- external: ecs + name: threat.indicator.first_seen +- external: ecs + name: threat.indicator.last_seen +- external: ecs + name: threat.indicator.scanner_stats +- external: ecs + name: threat.indicator.type +- external: ecs + name: threat.indicator.ip +- external: ecs + name: threat.indicator.url.domain +- external: ecs + name: threat.indicator.url.full +- external: ecs + name: threat.indicator.url.extension +- external: ecs + name: threat.indicator.url.original +- external: ecs + name: threat.indicator.url.path +- external: ecs + name: threat.indicator.url.port +- external: ecs + name: threat.indicator.url.scheme +- external: ecs + name: threat.indicator.url.query +- external: ecs + name: threat.indicator.email.address +- external: ecs + name: threat.indicator.provider +- external: ecs + name: threat.indicator.as.number +- external: ecs + name: threat.indicator.file.hash.md5 +- external: ecs + name: threat.indicator.file.hash.sha1 +- external: ecs + name: threat.indicator.file.hash.sha256 +- external: ecs + name: threat.indicator.marking.tlp +- external: ecs + name: threat.indicator.port +- external: ecs + name: threat.indicator.registry.key +- external: ecs + name: threat.indicator.registry.value +- external: ecs + name: threat.indicator.file.size +- external: ecs + name: threat.indicator.file.type +- external: ecs + name: threat.indicator.file.name +- external: ecs + name: organization.id diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/fields/fields.yml b/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/fields/fields.yml new file mode 100644 index 0000000000..0a64819192 --- /dev/null +++ b/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/fields/fields.yml @@ -0,0 +1,277 @@ +- name: misp + type: group + description: > + Fields for MISP indicators + + fields: + - name: event + type: group + description: > + Fields for MISP event + + fields: + - name: id + type: keyword + description: > + The local event ID of the attribute related to the event. + + - name: distribution + type: long + description: > + Distribution type related to MISP. + + - name: info + type: keyword + description: > + Additional text or information related to the event. + + - name: orgc_id + type: keyword + description: > + Organization Community ID of the event. + + - name: org_id + type: keyword + description: > + Organization ID of the event. + + - name: uuid + type: keyword + description: > + The UUID of the event object. + + - name: attribute_count + type: long + description: > + How many attributes are included in a single event object. + + - name: date + type: date + description: > + The date of when the event object was created. + + - name: disable_correlation + type: boolean + description: > + If correlation is disabled on the MISP event object. + + - name: extends_uuid + type: keyword + description: > + The UUID of the event object it might extend. + + - name: locked + type: boolean + description: > + If the current MISP event object is locked or not. + + - name: proposal_email_lock + type: boolean + description: > + Settings configured on MISP for email lock on this event object. + + - name: timestamp + type: date + description: > + The timestamp of when the event object was created. + + - name: publish_timestamp + type: date + description: "At what time the event object was published \n" + - name: sighting_timestamp + type: date + description: > + At what time the event object was sighted + + - name: threat_level_id + type: long + description: > + Threat level from 5 to 1, where 1 is the most critical. + + - name: published + type: boolean + description: > + When the event was published. + + - name: sharing_group_id + type: keyword + description: > + The ID of the grouped events or sources of the event. + + - name: attribute + type: group + description: > + Fields for MISP attribute + + fields: + - name: id + type: keyword + description: > + The ID of the attribute. + + - name: type + type: keyword + description: > + The type of the attribute. For example email, ipv4, sha1 and such. + + - name: category + type: keyword + description: > + The category of the attribute. For example "Network Activity". + + - name: to_ids + type: boolean + description: > + If the attribute should be automatically synced with an IDS. + + - name: uuid + type: keyword + description: > + The UUID of the attribute. + + - name: event_id + type: keyword + description: > + The local event ID of the attribute. + + - name: event_uuid + type: keyword + description: > + The local event UUID of the attribute. + + - name: distribution + type: long + description: > + How the attribute has been distributed, represented by integer numbers. + + - name: comment + type: keyword + description: > + Comments made to the attribute itself. + + - name: sharing_group_id + type: keyword + description: > + The group ID of the sharing group related to the specific attribute. + + - name: deleted + type: boolean + description: > + If the attribute has been removed. + + - name: disable_correlation + type: boolean + description: > + If correlation has been enabled on the attribute. + + - name: object_id + type: keyword + description: > + The ID of the Object in which the attribute is attached. + + - name: object_relation + type: keyword + description: > + The type of relation the attribute has with the attribute object itself. + + - name: value + type: keyword + description: > + The value of the attribute, depending on the type like "url, sha1, email-src". + + - name: data + type: keyword + description: > + The data of the attribute + + - name: decay_score + type: flattened + description: > + Group of fields describing decay score of the attribute + + - name: object + type: group + description: > + Fields for MISP Object + + fields: + - name: id + type: keyword + description: > + The ID of the object in which the attribute is attached. + + - name: name + type: keyword + description: > + The name of the object in which the attribute is attached. + + - name: meta_category + type: keyword + description: > + The meta-category of the object in which the attribute is attached. + + - name: description + type: keyword + description: > + The description of the object in which the attribute is attached. + + - name: template_uuid + type: keyword + description: > + The UUID of attribute object's template. + + - name: template_version + type: keyword + description: > + The version of attribute object's template. + + - name: event_id + type: keyword + description: > + The event ID of the object in which the attribute is attached. + + - name: uuid + type: keyword + description: > + The UUID of the object in which the attribute is attached. + + - name: timestamp + type: date + description: > + The timestamp when the object was created. + + - name: distribution + type: long + description: > + The distribution of the object indicating who can see the object. + + - name: sharing_group_id + type: keyword + description: > + The ID of the Sharing Group the object is shared with. + + - name: comment + type: keyword + description: > + Comments made to the object in which the attribute is attached. + + - name: deleted + type: boolean + description: > + If the object in which the attribute is attached has been removed. + + - name: first_seen + type: keyword + description: > + The first time the indicator of the object was seen. + + - name: last_seen + type: keyword + description: > + The last time the indicator of the object was seen. + + - name: attribute + type: flattened + description: > + List of attributes of the object in which the attribute is attached. + diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/manifest.yml b/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/manifest.yml new file mode 100644 index 0000000000..48d1b3345e --- /dev/null +++ b/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/manifest.yml @@ -0,0 +1,112 @@ +type: logs +title: MISP +streams: + - input: httpjson + vars: + - name: url + type: text + title: MISP URL + multi: false + required: true + show_user: true + default: https://mispserver.com + description: The URL or hostname of the MISP instance. + - name: api_token + type: password + title: MISP API Token + multi: false + required: true + show_user: true + description: The API token used to access the MISP instance. + - name: initial_interval + type: text + title: Initial interval + multi: false + required: true + show_user: true + default: 120h + description: How far back to look for indicators the first time the agent is started. Supported units for this parameter are h/m/s. + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h. + multi: false + required: false + show_user: false + default: 30s + - name: filters + type: yaml + title: MISP API Filters + multi: false + required: false + show_user: false + default: | + #type: + # OR: + # - ip-src + # - ip-dst + #tags: + # NOT: + # - tlp-red + description: Filters documented at [MISP API Documentation](https://www.circl.lu/doc/misp/automation/#search) is supported. + - name: proxy_url + type: text + title: Proxy URL + multi: false + required: false + show_user: false + description: URL to proxy connections in the form of http\[s\]://:@: + - name: interval + type: text + title: Interval + description: Interval at which the logs will be pulled. Supported units for this parameter are h/m/s. + multi: false + required: true + show_user: true + default: 10m + - name: ssl + type: yaml + title: SSL + multi: false + required: false + show_user: false + default: | + #verification_mode: none + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - misp-threat_attributes + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - name: enable_request_tracer + type: bool + title: Enable request tracing + multi: false + required: false + show_user: false + description: > + The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details. + + template_path: httpjson.yml.hbs + title: MISP + description: Collect indicators from the MISP Attributes API diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/sample_event.json b/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/sample_event.json new file mode 100644 index 0000000000..1c4056959e --- /dev/null +++ b/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/sample_event.json @@ -0,0 +1,87 @@ +{ + "@timestamp": "2014-10-03T07:14:05.000Z", + "agent": { + "ephemeral_id": "cdecad63-3561-4779-8f29-0f578cdbaf3e", + "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.9.1" + }, + "data_stream": { + "dataset": "ti_misp.threat_attributes", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.9.0" + }, + "elastic_agent": { + "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "snapshot": false, + "version": "8.9.1" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "threat" + ], + "created": "2023-08-28T15:44:00.019Z", + "dataset": "ti_misp.threat_attributes", + "ingested": "2023-08-28T15:44:02Z", + "kind": "enrichment", + "original": "{\"Event\":{\"distribution\":\"3\",\"id\":\"1\",\"info\":\"OSINT ShellShock scanning IPs from OpenDNS\",\"org_id\":\"1\",\"orgc_id\":\"2\",\"uuid\":\"542e4c9c-cadc-4f8f-bb11-6d13950d210b\"},\"category\":\"External analysis\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"1\",\"first_seen\":null,\"id\":\"1\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1412320445\",\"to_ids\":false,\"type\":\"link\",\"uuid\":\"542e4cbd-ee78-4a57-bfb8-1fda950d210b\",\"value\":\"http://labs.opendns.com/2014/10/02/opendns-and-bash/\"}", + "type": [ + "indicator" + ] + }, + "input": { + "type": "httpjson" + }, + "misp": { + "attribute": { + "category": "External analysis", + "comment": "", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "1", + "id": "1", + "object_id": "0", + "sharing_group_id": "0", + "to_ids": false, + "type": "link", + "uuid": "542e4cbd-ee78-4a57-bfb8-1fda950d210b" + }, + "event": { + "distribution": 3, + "id": "1", + "info": "OSINT ShellShock scanning IPs from OpenDNS", + "orgc_id": "2", + "uuid": "542e4c9c-cadc-4f8f-bb11-6d13950d210b" + } + }, + "organization": { + "id": "1" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "misp-threat_attributes" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "provider": "misp", + "type": "url", + "url": { + "domain": "labs.opendns.com", + "full": "http://labs.opendns.com/2014/10/02/opendns-and-bash/", + "original": "http://labs.opendns.com/2014/10/02/opendns-and-bash/", + "path": "/2014/10/02/opendns-and-bash/", + "scheme": "http" + } + } + } +} \ No newline at end of file diff --git a/test/packages/with-logstash/ti_misp/docs/README.md b/test/packages/with-logstash/ti_misp/docs/README.md new file mode 100644 index 0000000000..8af83e05a2 --- /dev/null +++ b/test/packages/with-logstash/ti_misp/docs/README.md @@ -0,0 +1,430 @@ +# MISP Integration + +The MISP integration uses the [REST API from the running MISP instance](https://www.circl.lu/doc/misp/automation/#automation-api) to retrieve indicators and Threat Intelligence. + +## Logs + +### Threat + +The MISP integration configuration allows to set the polling interval, how far back it +should look initially, and optionally any filters used to filter the results. + +The filters themselves are based on the [MISP API documentation](https://www.circl.lu/doc/misp/automation/#search) and should support all documented fields. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset name. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.file.path | Path to the log file. | keyword | +| log.flags | Flags for the log file. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| misp.attribute.category | The category of the attribute related to the event object. For example "Network Activity". | keyword | +| misp.attribute.comment | Comments made to the attribute itself. | keyword | +| misp.attribute.deleted | If the attribute has been removed from the event object. | boolean | +| misp.attribute.disable_correlation | If correlation has been enabled on the attribute related to the event object. | boolean | +| misp.attribute.distribution | How the attribute has been distributed, represented by integer numbers. | long | +| misp.attribute.event_id | The local event ID of the attribute related to the event. | keyword | +| misp.attribute.id | The ID of the attribute related to the event object. | keyword | +| misp.attribute.object_id | The ID of the Object in which the attribute is attached. | keyword | +| misp.attribute.object_relation | The type of relation the attribute has with the event object itself. | keyword | +| misp.attribute.sharing_group_id | The group ID of the sharing group related to the specific attribute. | keyword | +| misp.attribute.timestamp | The timestamp in which the attribute was attached to the event object. | date | +| misp.attribute.to_ids | If the attribute should be automatically synced with an IDS. | boolean | +| misp.attribute.type | The type of the attribute related to the event object. For example email, ipv4, sha1 and such. | keyword | +| misp.attribute.uuid | The UUID of the attribute related to the event. | keyword | +| misp.attribute.value | The value of the attribute, depending on the type like "url, sha1, email-src". | keyword | +| misp.context.attribute.category | The category of the secondary attribute related to the event object. For example "Network Activity". | keyword | +| misp.context.attribute.comment | Comments made to the secondary attribute itself. | keyword | +| misp.context.attribute.deleted | If the secondary attribute has been removed from the event object. | boolean | +| misp.context.attribute.disable_correlation | If correlation has been enabled on the secondary attribute related to the event object. | boolean | +| misp.context.attribute.distribution | How the secondary attribute has been distributed, represented by integer numbers. | long | +| misp.context.attribute.event_id | The local event ID of the secondary attribute related to the event. | keyword | +| misp.context.attribute.first_seen | The first time the indicator was seen. | keyword | +| misp.context.attribute.id | The ID of the secondary attribute related to the event object. | keyword | +| misp.context.attribute.last_seen | The last time the indicator was seen. | keyword | +| misp.context.attribute.object_id | The ID of the Object in which the secondary attribute is attached. | keyword | +| misp.context.attribute.object_relation | The type of relation the secondary attribute has with the event object itself. | keyword | +| misp.context.attribute.sharing_group_id | The group ID of the sharing group related to the specific secondary attribute. | keyword | +| misp.context.attribute.timestamp | The timestamp in which the secondary attribute was attached to the event object. | date | +| misp.context.attribute.to_ids | If the secondary attribute should be automatically synced with an IDS. | boolean | +| misp.context.attribute.type | The type of the secondary attribute related to the event object. For example email, ipv4, sha1 and such. | keyword | +| misp.context.attribute.uuid | The UUID of the secondary attribute related to the event. | keyword | +| misp.context.attribute.value | The value of the attribute, depending on the type like "url, sha1, email-src". | keyword | +| misp.event.attribute_count | How many attributes are included in a single event object. | long | +| misp.event.date | The date of when the event object was created. | date | +| misp.event.disable_correlation | If correlation is disabled on the MISP event object. | boolean | +| misp.event.distribution | Distribution type related to MISP. | long | +| misp.event.extends_uuid | The UUID of the event object it might extend. | keyword | +| misp.event.id | Attribute ID. | keyword | +| misp.event.info | Additional text or information related to the event. | keyword | +| misp.event.locked | If the current MISP event object is locked or not. | boolean | +| misp.event.org_id | Organization ID of the event. | keyword | +| misp.event.orgc_id | Organization Community ID of the event. | keyword | +| misp.event.proposal_email_lock | Settings configured on MISP for email lock on this event object. | boolean | +| misp.event.publish_timestamp | At what time the event object was published | date | +| misp.event.published | When the event was published. | boolean | +| misp.event.sharing_group_id | The ID of the grouped events or sources of the event. | keyword | +| misp.event.threat_level_id | Threat level from 5 to 1, where 1 is the most critical. | long | +| misp.event.timestamp | The timestamp of when the event object was created. | date | +| misp.event.uuid | The UUID of the event object. | keyword | +| misp.object.attribute | List of attributes of the object in which the attribute is attached. | flattened | +| misp.object.comment | Comments made to the object in which the attribute is attached. | keyword | +| misp.object.deleted | If the object in which the attribute is attached has been removed. | boolean | +| misp.object.description | The description of the object in which the attribute is attached. | keyword | +| misp.object.distribution | The distribution of the object indicating who can see the object. | long | +| misp.object.event_id | The event ID of the object in which the attribute is attached. | keyword | +| misp.object.first_seen | The first time the indicator of the object was seen. | keyword | +| misp.object.id | The ID of the object in which the attribute is attached. | keyword | +| misp.object.last_seen | The last time the indicator of the object was seen. | keyword | +| misp.object.meta_category | The meta-category of the object in which the attribute is attached. | keyword | +| misp.object.name | The name of the object in which the attribute is attached. | keyword | +| misp.object.sharing_group_id | The ID of the Sharing Group the object is shared with. | keyword | +| misp.object.template_uuid | The UUID of attribute object's template. | keyword | +| misp.object.template_version | The version of attribute object's template. | keyword | +| misp.object.timestamp | The timestamp when the object was created. | date | +| misp.object.uuid | The UUID of the object in which the attribute is attached. | keyword | +| misp.org.id | The organization ID related to the event object. | keyword | +| misp.org.local | If the event object is local or from a remote source. | boolean | +| misp.org.name | The organization name related to the event object. | keyword | +| misp.org.uuid | The UUID of the organization related to the event object. | keyword | +| misp.orgc.id | The Organization Community ID in which the event object was reported from. | keyword | +| misp.orgc.local | If the Organization Community was local or synced from a remote source. | boolean | +| misp.orgc.name | The Organization Community name in which the event object was reported from. | keyword | +| misp.orgc.uuid | The Organization Community UUID in which the event object was reported from. | keyword | +| tags | List of keywords used to tag each event. | keyword | +| threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword | +| threat.feed.name | Display friendly feed name. | constant_keyword | +| threat.indicator.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| threat.indicator.email.address | Identifies a threat indicator as an email address (irrespective of direction). | keyword | +| threat.indicator.file.hash.md5 | MD5 hash. | keyword | +| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | +| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | +| threat.indicator.file.name | Name of the file including the extension, without the directory. | keyword | +| threat.indicator.file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| threat.indicator.file.type | File type (file, dir, or symlink). | keyword | +| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | +| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | +| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | +| threat.indicator.marking.tlp | Traffic Light Protocol sharing markings. | keyword | +| threat.indicator.port | Identifies a threat indicator as a port number (irrespective of direction). | long | +| threat.indicator.provider | The name of the indicator's provider. | keyword | +| threat.indicator.registry.key | Hive-relative path of keys. | keyword | +| threat.indicator.registry.value | Name of the value written. | keyword | +| threat.indicator.scanner_stats | Count of AV/EDR vendors that successfully detected malicious file or URL. | long | +| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | +| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| threat.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| threat.indicator.url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | +| threat.indicator.url.full.text | Multi-field of `threat.indicator.url.full`. | match_only_text | +| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | +| threat.indicator.url.path | Path of the request, such as "/search". | wildcard | +| threat.indicator.url.port | Port of the request, such as 443. | long | +| threat.indicator.url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| threat.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | +| user.email | User email address. | keyword | +| user.roles | Array of user roles at the time of the event. | keyword | + + +An example event for `threat` looks as following: + +```json +{ + "@timestamp": "2014-10-06T07:12:57.000Z", + "agent": { + "ephemeral_id": "24754055-2625-498c-8778-8566dbc8a368", + "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.9.1" + }, + "data_stream": { + "dataset": "ti_misp.threat", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.9.0" + }, + "elastic_agent": { + "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "snapshot": false, + "version": "8.9.1" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "threat" + ], + "created": "2023-08-28T15:43:07.992Z", + "dataset": "ti_misp.threat", + "ingested": "2023-08-28T15:43:09Z", + "kind": "enrichment", + "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Network activity\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"22\",\"first_seen\":null,\"id\":\"12394\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1462454963\",\"to_ids\":false,\"type\":\"domain\",\"uuid\":\"572b4ab3-1af0-4d91-9cd5-07a1c0a8ab16\",\"value\":\"whatsapp.com\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":[],\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\"},\"Orgc\":{\"id\":\"2\",\"local\":false,\"name\":\"CthulhuSPRL.be\",\"uuid\":\"55f6ea5f-fd34-43b8-ac1d-40cb950d210f\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"Tag\":[{\"colour\":\"#004646\",\"exportable\":true,\"hide_tag\":false,\"id\":\"1\",\"is_custom_galaxy\":false,\"is_galaxy\":false,\"local\":0,\"name\":\"type:OSINT\",\"numerical_value\":null,\"user_id\":\"0\"},{\"colour\":\"#339900\",\"exportable\":true,\"hide_tag\":false,\"id\":\"2\",\"is_custom_galaxy\":false,\"is_galaxy\":false,\"local\":0,\"name\":\"tlp:green\",\"numerical_value\":null,\"user_id\":\"0\"}],\"analysis\":\"2\",\"attribute_count\":\"29\",\"date\":\"2014-10-03\",\"disable_correlation\":false,\"distribution\":\"3\",\"extends_uuid\":\"\",\"id\":\"2\",\"info\":\"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"2\",\"proposal_email_lock\":false,\"publish_timestamp\":\"1610622316\",\"published\":true,\"sharing_group_id\":\"0\",\"threat_level_id\":\"2\",\"timestamp\":\"1412579577\",\"uuid\":\"54323f2c-e50c-4268-896c-4867950d210b\"}}", + "type": [ + "indicator" + ] + }, + "input": { + "type": "httpjson" + }, + "misp": { + "attribute": { + "category": "Network activity", + "comment": "", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "22", + "id": "12394", + "object_id": "0", + "sharing_group_id": "0", + "timestamp": "2016-05-05T13:29:23.000Z", + "to_ids": false, + "type": "domain", + "uuid": "572b4ab3-1af0-4d91-9cd5-07a1c0a8ab16" + }, + "event": { + "attribute_count": 29, + "date": "2014-10-03", + "disable_correlation": false, + "distribution": 3, + "extends_uuid": "", + "id": "2", + "info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", + "locked": false, + "org_id": "1", + "orgc_id": "2", + "proposal_email_lock": false, + "publish_timestamp": "2021-01-14T11:05:16.000Z", + "published": true, + "sharing_group_id": "0", + "threat_level_id": 2, + "uuid": "54323f2c-e50c-4268-896c-4867950d210b" + }, + "orgc": { + "id": "2", + "local": false, + "name": "CthulhuSPRL.be", + "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" + } + }, + "tags": [ + "preserve_original_event", + "forwarded", + "misp-threat", + "type:OSINT", + "tlp:green" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "marking": { + "tlp": [ + "GREEN" + ] + }, + "provider": "misp", + "scanner_stats": 2, + "type": "domain-name", + "url": { + "domain": "whatsapp.com" + } + } + } +} +``` + +### Threat Attributes + +The MISP integration configuration allows to set the polling interval, how far back it should look initially, and optionally any filters used to filter the results. +This data stream uses the `/attributes/restSearch` API endpoint which returns more granular information regarding MISP attributes and additional information. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset name. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.file.path | Path to the log file. | keyword | +| log.flags | Flags for the log file. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| misp.attribute.category | The category of the attribute. For example "Network Activity". | keyword | +| misp.attribute.comment | Comments made to the attribute itself. | keyword | +| misp.attribute.data | The data of the attribute | keyword | +| misp.attribute.decay_score | Group of fields describing decay score of the attribute | flattened | +| misp.attribute.deleted | If the attribute has been removed. | boolean | +| misp.attribute.disable_correlation | If correlation has been enabled on the attribute. | boolean | +| misp.attribute.distribution | How the attribute has been distributed, represented by integer numbers. | long | +| misp.attribute.event_id | The local event ID of the attribute. | keyword | +| misp.attribute.event_uuid | The local event UUID of the attribute. | keyword | +| misp.attribute.id | The ID of the attribute. | keyword | +| misp.attribute.object_id | The ID of the Object in which the attribute is attached. | keyword | +| misp.attribute.object_relation | The type of relation the attribute has with the attribute object itself. | keyword | +| misp.attribute.sharing_group_id | The group ID of the sharing group related to the specific attribute. | keyword | +| misp.attribute.to_ids | If the attribute should be automatically synced with an IDS. | boolean | +| misp.attribute.type | The type of the attribute. For example email, ipv4, sha1 and such. | keyword | +| misp.attribute.uuid | The UUID of the attribute. | keyword | +| misp.attribute.value | The value of the attribute, depending on the type like "url, sha1, email-src". | keyword | +| misp.event.attribute_count | How many attributes are included in a single event object. | long | +| misp.event.date | The date of when the event object was created. | date | +| misp.event.disable_correlation | If correlation is disabled on the MISP event object. | boolean | +| misp.event.distribution | Distribution type related to MISP. | long | +| misp.event.extends_uuid | The UUID of the event object it might extend. | keyword | +| misp.event.id | The local event ID of the attribute related to the event. | keyword | +| misp.event.info | Additional text or information related to the event. | keyword | +| misp.event.locked | If the current MISP event object is locked or not. | boolean | +| misp.event.org_id | Organization ID of the event. | keyword | +| misp.event.orgc_id | Organization Community ID of the event. | keyword | +| misp.event.proposal_email_lock | Settings configured on MISP for email lock on this event object. | boolean | +| misp.event.publish_timestamp | At what time the event object was published | date | +| misp.event.published | When the event was published. | boolean | +| misp.event.sharing_group_id | The ID of the grouped events or sources of the event. | keyword | +| misp.event.sighting_timestamp | At what time the event object was sighted | date | +| misp.event.threat_level_id | Threat level from 5 to 1, where 1 is the most critical. | long | +| misp.event.timestamp | The timestamp of when the event object was created. | date | +| misp.event.uuid | The UUID of the event object. | keyword | +| misp.object.attribute | List of attributes of the object in which the attribute is attached. | flattened | +| misp.object.comment | Comments made to the object in which the attribute is attached. | keyword | +| misp.object.deleted | If the object in which the attribute is attached has been removed. | boolean | +| misp.object.description | The description of the object in which the attribute is attached. | keyword | +| misp.object.distribution | The distribution of the object indicating who can see the object. | long | +| misp.object.event_id | The event ID of the object in which the attribute is attached. | keyword | +| misp.object.first_seen | The first time the indicator of the object was seen. | keyword | +| misp.object.id | The ID of the object in which the attribute is attached. | keyword | +| misp.object.last_seen | The last time the indicator of the object was seen. | keyword | +| misp.object.meta_category | The meta-category of the object in which the attribute is attached. | keyword | +| misp.object.name | The name of the object in which the attribute is attached. | keyword | +| misp.object.sharing_group_id | The ID of the Sharing Group the object is shared with. | keyword | +| misp.object.template_uuid | The UUID of attribute object's template. | keyword | +| misp.object.template_version | The version of attribute object's template. | keyword | +| misp.object.timestamp | The timestamp when the object was created. | date | +| misp.object.uuid | The UUID of the object in which the attribute is attached. | keyword | +| organization.id | Unique identifier for the organization. | keyword | +| tags | List of keywords used to tag each event. | keyword | +| threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword | +| threat.feed.name | Display friendly feed name | constant_keyword | +| threat.indicator.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| threat.indicator.email.address | Identifies a threat indicator as an email address (irrespective of direction). | keyword | +| threat.indicator.file.hash.md5 | MD5 hash. | keyword | +| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | +| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | +| threat.indicator.file.name | Name of the file including the extension, without the directory. | keyword | +| threat.indicator.file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| threat.indicator.file.type | File type (file, dir, or symlink). | keyword | +| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | +| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | +| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | +| threat.indicator.marking.tlp | Traffic Light Protocol sharing markings. | keyword | +| threat.indicator.port | Identifies a threat indicator as a port number (irrespective of direction). | long | +| threat.indicator.provider | The name of the indicator's provider. | keyword | +| threat.indicator.registry.key | Hive-relative path of keys. | keyword | +| threat.indicator.registry.value | Name of the value written. | keyword | +| threat.indicator.scanner_stats | Count of AV/EDR vendors that successfully detected malicious file or URL. | long | +| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | +| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| threat.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| threat.indicator.url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | +| threat.indicator.url.full.text | Multi-field of `threat.indicator.url.full`. | match_only_text | +| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | +| threat.indicator.url.path | Path of the request, such as "/search". | wildcard | +| threat.indicator.url.port | Port of the request, such as 443. | long | +| threat.indicator.url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| threat.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | +| user.email | User email address. | keyword | +| user.roles | Array of user roles at the time of the event. | keyword | + + diff --git a/test/packages/with-logstash/ti_misp/img/misp.svg b/test/packages/with-logstash/ti_misp/img/misp.svg new file mode 100644 index 0000000000..076530aa25 --- /dev/null +++ b/test/packages/with-logstash/ti_misp/img/misp.svg @@ -0,0 +1,158 @@ + + + + diff --git a/test/packages/with-logstash/ti_misp/kibana/dashboard/ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877.json b/test/packages/with-logstash/ti_misp/kibana/dashboard/ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877.json new file mode 100644 index 0000000000..465e992b5f --- /dev/null +++ b/test/packages/with-logstash/ti_misp/kibana/dashboard/ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877.json @@ -0,0 +1,952 @@ +{ + "attributes": { + "description": "Dashboard providing statistics about file type indicators from the MISP integration", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.kind", + "negate": false, + "params": { + "query": "enrichment" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "enrichment" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threat.indicator.type", + "negate": false, + "params": { + "query": "file" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "threat.indicator.type": "file" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "ti_misp.threat" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "ti_misp.threat" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "fontSize": 12, + "markdown": "**Navigation**\n\n[MISP Overview](/app/dashboards#/view/ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294) \n**[MISP Files (This Page)](/app/dashboards#/view/ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877)** \n[MISP URLs](/app/dashboards#/view/ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877) \n\n[Integrations Page](/app/integrations/detail/ti_misp/overview)\n\n\n**Overview**\n\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: file**.\n\nThe dashboard is made to provide general statistics and show the health of your indicators like hash type counters, popular domains, statistics about how many unique indicators are ingested and other relevant information.", + "openLinksInNewTab": false + }, + "title": "Files Navigation Textbox [Logs AbuseCH]", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 27, + "i": "09ba3dc0-e2e2-4799-b47f-bb919bf290a1", + "w": 7, + "x": 0, + "y": 0 + }, + "panelIndex": "09ba3dc0-e2e2-4799-b47f-bb919bf290a1", + "title": "Files Navigation Textbox [Logs MISP]", + "type": "visualization", + "version": "8.0.0-SNAPSHOT" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-98786f76-dac4-4fc7-9cad-8bfce17bd00d", + "type": "index-pattern" + } + ], + "sharingSavedObjectProps": { + "outcome": "exactMatch", + "sourceId": "ti_abusech-2e2257a0-3b39-11ec-ae50-2fdf1e96c6a6" + }, + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "98786f76-dac4-4fc7-9cad-8bfce17bd00d": { + "columnOrder": [ + "8622e147-406f-4711-8f68-e2425614106e" + ], + "columns": { + "8622e147-406f-4711-8f68-e2425614106e": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique File types", + "operationType": "unique_count", + "scale": "ratio", + "sourceField": "threat.indicator.file.type" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "8622e147-406f-4711-8f68-e2425614106e", + "layerId": "98786f76-dac4-4fc7-9cad-8bfce17bd00d", + "layerType": "data" + } + }, + "title": "Unique File Types [Logs AbuseCH]", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 8, + "i": "31ea16d1-7591-42a7-b773-6fca00e5db14", + "w": 5, + "x": 7, + "y": 0 + }, + "panelIndex": "31ea16d1-7591-42a7-b773-6fca00e5db14", + "title": "Unique File Types [Logs MISP]", + "type": "lens", + "version": "8.0.0-SNAPSHOT" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-b83c382d-fab9-4e60-a632-475e221cc20c", + "type": "index-pattern" + } + ], + "sharingSavedObjectProps": { + "outcome": "exactMatch", + "sourceId": "ti_abusech-d888e3e0-3b38-11ec-ae50-2fdf1e96c6a6" + }, + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "b83c382d-fab9-4e60-a632-475e221cc20c": { + "columnOrder": [ + "eda3c6d9-dacb-4e5e-b977-50104f76e91a" + ], + "columns": { + "eda3c6d9-dacb-4e5e-b977-50104f76e91a": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique MD5", + "operationType": "unique_count", + "scale": "ratio", + "sourceField": "threat.indicator.file.hash.md5" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "eda3c6d9-dacb-4e5e-b977-50104f76e91a", + "layerId": "b83c382d-fab9-4e60-a632-475e221cc20c", + "layerType": "data" + } + }, + "title": "Unique MD5 [Logs AbuseCH]", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 8, + "i": "4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98", + "w": 6, + "x": 12, + "y": 0 + }, + "panelIndex": "4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98", + "title": "Unique MD5 [Logs MISP]", + "type": "lens", + "version": "8.0.0-SNAPSHOT" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-85ad73b3-3b76-49f1-ad20-6256b58918f8", + "type": "index-pattern" + } + ], + "sharingSavedObjectProps": { + "outcome": "exactMatch", + "sourceId": "ti_abusech-28549810-3b39-11ec-ae50-2fdf1e96c6a6" + }, + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "85ad73b3-3b76-49f1-ad20-6256b58918f8": { + "columnOrder": [ + "289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3" + ], + "columns": { + "289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique SHA1", + "operationType": "unique_count", + "scale": "ratio", + "sourceField": "threat.indicator.file.hash.sha1" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3", + "layerId": "85ad73b3-3b76-49f1-ad20-6256b58918f8", + "layerType": "data" + } + }, + "title": "Unique SHA1 [Logs AbuseCH]", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 8, + "i": "e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea", + "w": 6, + "x": 18, + "y": 0 + }, + "panelIndex": "e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea", + "title": "Unique SHA1 [Logs MISP]", + "type": "lens", + "version": "8.0.0-SNAPSHOT" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-49b7070a-f1d3-46e1-a980-2f6d6d130167", + "type": "index-pattern" + } + ], + "sharingSavedObjectProps": { + "outcome": "exactMatch", + "sourceId": "ti_abusech-5d6111a0-3b39-11ec-ae50-2fdf1e96c6a6" + }, + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "49b7070a-f1d3-46e1-a980-2f6d6d130167": { + "columnOrder": [ + "b6c5e221-88ff-490e-bd3e-188b3e0dd1f4" + ], + "columns": { + "b6c5e221-88ff-490e-bd3e-188b3e0dd1f4": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique SHA256", + "operationType": "unique_count", + "scale": "ratio", + "sourceField": "threat.indicator.file.hash.sha256" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "b6c5e221-88ff-490e-bd3e-188b3e0dd1f4", + "layerId": "49b7070a-f1d3-46e1-a980-2f6d6d130167", + "layerType": "data" + } + }, + "title": "Unique SHA256 [Logs AbuseCH]", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 8, + "i": "93e32abe-87e3-469e-b7e9-a7ef7dfa2cce", + "w": 6, + "x": 24, + "y": 0 + }, + "panelIndex": "93e32abe-87e3-469e-b7e9-a7ef7dfa2cce", + "title": "Unique SHA256 [Logs MISP]", + "type": "lens", + "version": "8.0.0-SNAPSHOT" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-12768311-834b-48d5-8aad-d17d139c2ae5", + "type": "index-pattern" + } + ], + "sharingSavedObjectProps": { + "outcome": "exactMatch", + "sourceId": "ti_abusech-52e62840-3b3a-11ec-ae50-2fdf1e96c6a6" + }, + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "12768311-834b-48d5-8aad-d17d139c2ae5": { + "columnOrder": [ + "0255894e-dd88-4eb1-b21b-0cccecb2cd1b" + ], + "columns": { + "0255894e-dd88-4eb1-b21b-0cccecb2cd1b": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique TLSH", + "operationType": "unique_count", + "scale": "ratio", + "sourceField": "threat.indicator.file.hash.tlsh" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "0255894e-dd88-4eb1-b21b-0cccecb2cd1b", + "layerId": "12768311-834b-48d5-8aad-d17d139c2ae5", + "layerType": "data" + } + }, + "title": "Unique TLSH [Logs AbuseCH]", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 8, + "i": "b77edd3f-b171-4e61-b519-169b5aade031", + "w": 6, + "x": 30, + "y": 0 + }, + "panelIndex": "b77edd3f-b171-4e61-b519-169b5aade031", + "title": "Unique TLSH [Logs MISP]", + "type": "lens", + "version": "8.0.0-SNAPSHOT" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-9070dc46-c06d-4b64-a2c5-7b6d4056a14d", + "type": "index-pattern" + } + ], + "sharingSavedObjectProps": { + "outcome": "exactMatch", + "sourceId": "ti_abusech-4f8c9d00-3b3a-11ec-ae50-2fdf1e96c6a6" + }, + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "9070dc46-c06d-4b64-a2c5-7b6d4056a14d": { + "columnOrder": [ + "f1bdf831-1fd2-4dc8-b1f9-c6e05d93b801" + ], + "columns": { + "f1bdf831-1fd2-4dc8-b1f9-c6e05d93b801": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique Imphash", + "operationType": "unique_count", + "scale": "ratio", + "sourceField": "threat.indicator.file.pe.imphash" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "f1bdf831-1fd2-4dc8-b1f9-c6e05d93b801", + "layerId": "9070dc46-c06d-4b64-a2c5-7b6d4056a14d", + "layerType": "data" + } + }, + "title": "Unique Imphash [Logs AbuseCH]", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 8, + "i": "f9eb44f8-6174-4b12-a8ca-5c542687006b", + "w": 6, + "x": 36, + "y": 0 + }, + "panelIndex": "f9eb44f8-6174-4b12-a8ca-5c542687006b", + "title": "Unique Imphash [Logs MISP]", + "type": "lens", + "version": "8.0.0-SNAPSHOT" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-e27d5a76-ae51-44fa-b17e-e486bbc01b56", + "type": "index-pattern" + } + ], + "sharingSavedObjectProps": { + "outcome": "exactMatch", + "sourceId": "ti_abusech-88ef6dd0-3b39-11ec-ae50-2fdf1e96c6a6" + }, + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "e27d5a76-ae51-44fa-b17e-e486bbc01b56": { + "columnOrder": [ + "b5cdfd94-1e22-4673-8216-59aca2131761" + ], + "columns": { + "b5cdfd94-1e22-4673-8216-59aca2131761": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique SSDEEP", + "operationType": "unique_count", + "scale": "ratio", + "sourceField": "threat.indicator.file.hash.ssdeep" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "b5cdfd94-1e22-4673-8216-59aca2131761", + "layerId": "e27d5a76-ae51-44fa-b17e-e486bbc01b56", + "layerType": "data" + } + }, + "title": "Unique SSDEEP [Logs AbuseCH]", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 8, + "i": "c9d59178-9b19-4255-8098-653cb30f3d09", + "w": 6, + "x": 42, + "y": 0 + }, + "panelIndex": "c9d59178-9b19-4255-8098-653cb30f3d09", + "title": "Unique SSDEEP [Logs MISP]", + "type": "lens", + "version": "8.0.0-SNAPSHOT" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-06d9ac79-2055-437e-892c-de9ee07fe674", + "type": "index-pattern" + } + ], + "sharingSavedObjectProps": { + "outcome": "exactMatch", + "sourceId": "2d0c0ec0-3bbf-11ec-ae8c-7d00429ad420" + }, + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "06d9ac79-2055-437e-892c-de9ee07fe674": { + "columnOrder": [ + "35f5321a-27f4-4076-9d1d-d326187f4689", + "df062557-78a5-4a78-93f1-34583c809bc3" + ], + "columns": { + "35f5321a-27f4-4076-9d1d-d326187f4689": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "File Names", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "df062557-78a5-4a78-93f1-34583c809bc3", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "threat.indicator.file.name" + }, + "df062557-78a5-4a78-93f1-34583c809bc3": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "35f5321a-27f4-4076-9d1d-d326187f4689", + "isTransposed": false + }, + { + "columnId": "df062557-78a5-4a78-93f1-34583c809bc3", + "isTransposed": false + } + ], + "layerId": "06d9ac79-2055-437e-892c-de9ee07fe674", + "layerType": "data" + } + }, + "title": "Most popular file names [Logs AbuseCH]", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 19, + "i": "b733385b-14f8-4469-b777-86d0139cc56b", + "w": 20, + "x": 7, + "y": 8 + }, + "panelIndex": "b733385b-14f8-4469-b777-86d0139cc56b", + "title": "Most popular file names [Logs MISP]", + "type": "lens", + "version": "8.0.0-SNAPSHOT" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8", + "type": "index-pattern" + } + ], + "sharingSavedObjectProps": { + "outcome": "exactMatch", + "sourceId": "ti_abusech-4ee4a490-3b37-11ec-ae50-2fdf1e96c6a6" + }, + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8": { + "columnOrder": [ + "06b603cb-c9fb-493a-9ca4-e6502ca12054", + "de0e531b-dda7-461f-9783-3ab9267d202e" + ], + "columns": { + "06b603cb-c9fb-493a-9ca4-e6502ca12054": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of threat.indicator.file.type", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "de0e531b-dda7-461f-9783-3ab9267d202e", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "threat.indicator.file.type" + }, + "de0e531b-dda7-461f-9783-3ab9267d202e": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "06b603cb-c9fb-493a-9ca4-e6502ca12054" + ], + "layerId": "222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8", + "layerType": "data", + "legendDisplay": "default", + "metric": "de0e531b-dda7-461f-9783-3ab9267d202e", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "treemap" + } + }, + "title": "File Types [Logs AbuseCH]", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 19, + "i": "5f1d0cf1-c331-4495-99d5-5e80d023c482", + "w": 21, + "x": 27, + "y": 8 + }, + "panelIndex": "5f1d0cf1-c331-4495-99d5-5e80d023c482", + "title": "File Types [Logs MISP]", + "type": "lens", + "version": "8.0.0-SNAPSHOT" + } + ], + "timeRestore": false, + "title": "[Logs MISP] Files", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "31ea16d1-7591-42a7-b773-6fca00e5db14:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "31ea16d1-7591-42a7-b773-6fca00e5db14:indexpattern-datasource-layer-98786f76-dac4-4fc7-9cad-8bfce17bd00d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98:indexpattern-datasource-layer-b83c382d-fab9-4e60-a632-475e221cc20c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea:indexpattern-datasource-layer-85ad73b3-3b76-49f1-ad20-6256b58918f8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "93e32abe-87e3-469e-b7e9-a7ef7dfa2cce:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "93e32abe-87e3-469e-b7e9-a7ef7dfa2cce:indexpattern-datasource-layer-49b7070a-f1d3-46e1-a980-2f6d6d130167", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b77edd3f-b171-4e61-b519-169b5aade031:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b77edd3f-b171-4e61-b519-169b5aade031:indexpattern-datasource-layer-12768311-834b-48d5-8aad-d17d139c2ae5", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f9eb44f8-6174-4b12-a8ca-5c542687006b:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f9eb44f8-6174-4b12-a8ca-5c542687006b:indexpattern-datasource-layer-9070dc46-c06d-4b64-a2c5-7b6d4056a14d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c9d59178-9b19-4255-8098-653cb30f3d09:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c9d59178-9b19-4255-8098-653cb30f3d09:indexpattern-datasource-layer-e27d5a76-ae51-44fa-b17e-e486bbc01b56", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b733385b-14f8-4469-b777-86d0139cc56b:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b733385b-14f8-4469-b777-86d0139cc56b:indexpattern-datasource-layer-06d9ac79-2055-437e-892c-de9ee07fe674", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5f1d0cf1-c331-4495-99d5-5e80d023c482:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5f1d0cf1-c331-4495-99d5-5e80d023c482:indexpattern-datasource-layer-222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8", + "type": "index-pattern" + }, + { + "id": "ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294", + "name": "tag-ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294", + "type": "tag" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/test/packages/with-logstash/ti_misp/kibana/dashboard/ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877.json b/test/packages/with-logstash/ti_misp/kibana/dashboard/ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877.json new file mode 100644 index 0000000000..eb0c647123 --- /dev/null +++ b/test/packages/with-logstash/ti_misp/kibana/dashboard/ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877.json @@ -0,0 +1,694 @@ +{ + "attributes": { + "description": "Dashboard providing statistics about URL type indicators from the MISP integration", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "threat.indicator.type", + "negate": false, + "params": { + "query": "url" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "threat.indicator.type": "url" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "ti_misp.threat" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "ti_misp.threat" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "**Navigation**\n\n[MISP Overview](/app/dashboards#/view/ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294) \n[MISP Files](/app/dashboards#/view/ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877) \n**[MISP URLs (This Page)](/app/dashboards#/view/ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877)** \n\n[Integrations Page](/app/integrations/detail/ti_misp/overview)\n\n\n**Overview**\n\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: url**. \n\nThe dashboard is made to provide general statistics and show the health of your indicators like popular domains, file extensions, statistics about how many unique indicators are ingested and other relevant information.", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 39, + "i": "4c3ed6e1-8b4e-4eab-8d84-70ed4f506216", + "w": 7, + "x": 0, + "y": 0 + }, + "panelIndex": "4c3ed6e1-8b4e-4eab-8d84-70ed4f506216", + "title": "Files Navigation Textbox [Logs MISP]", + "type": "visualization", + "version": "8.0.0-SNAPSHOT" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-88a112e1-6da1-49d3-9177-19f98280c200", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "88a112e1-6da1-49d3-9177-19f98280c200": { + "columnOrder": [ + "604f1693-15a6-437d-af69-03588db8e471" + ], + "columns": { + "604f1693-15a6-437d-af69-03588db8e471": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique Ports", + "operationType": "unique_count", + "scale": "ratio", + "sourceField": "threat.indicator.url.port" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "604f1693-15a6-437d-af69-03588db8e471", + "layerId": "88a112e1-6da1-49d3-9177-19f98280c200", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 8, + "i": "c7c6e8dc-b649-434c-9650-8a1564d4d676", + "w": 6, + "x": 7, + "y": 0 + }, + "panelIndex": "c7c6e8dc-b649-434c-9650-8a1564d4d676", + "title": "Unique Ports [Logs MISP]", + "type": "lens", + "version": "8.0.0-SNAPSHOT" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-a6fa56f8-32fa-405d-8771-dade4fe75d62", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "a6fa56f8-32fa-405d-8771-dade4fe75d62": { + "columnOrder": [ + "848c463b-bbc1-4b6a-af3e-76d844eb3cc5" + ], + "columns": { + "848c463b-bbc1-4b6a-af3e-76d844eb3cc5": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique Extensions", + "operationType": "unique_count", + "scale": "ratio", + "sourceField": "threat.indicator.url.extension" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "848c463b-bbc1-4b6a-af3e-76d844eb3cc5", + "layerId": "a6fa56f8-32fa-405d-8771-dade4fe75d62", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 8, + "i": "73a752f9-bde5-4396-8ede-e9e77a37182d", + "w": 6, + "x": 13, + "y": 0 + }, + "panelIndex": "73a752f9-bde5-4396-8ede-e9e77a37182d", + "title": "Unique File Extensions [Logs MISP]", + "type": "lens", + "version": "8.0.0-SNAPSHOT" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "c94400ee-a135-4a99-9693-5879d29f7aad": { + "columnOrder": [ + "2934249f-fce5-4637-87ff-d2596d1b6ec5" + ], + "columns": { + "2934249f-fce5-4637-87ff-d2596d1b6ec5": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique Domains", + "operationType": "unique_count", + "scale": "ratio", + "sourceField": "threat.indicator.url.domain" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "2934249f-fce5-4637-87ff-d2596d1b6ec5", + "layerId": "c94400ee-a135-4a99-9693-5879d29f7aad", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 8, + "i": "02f1732b-a981-4fba-8b27-b944f2f3c98c", + "w": 6, + "x": 19, + "y": 0 + }, + "panelIndex": "02f1732b-a981-4fba-8b27-b944f2f3c98c", + "title": "Unique Domains [Logs MISP]", + "type": "lens", + "version": "8.0.0-SNAPSHOT" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-9fa49c4c-5544-472d-afce-e51d6a5687fe", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "9fa49c4c-5544-472d-afce-e51d6a5687fe": { + "columnOrder": [ + "15e2b5ad-2040-4253-89a6-60f085c66f86", + "b9a631fe-5f49-4db2-a076-bcbf5410aec9" + ], + "columns": { + "15e2b5ad-2040-4253-89a6-60f085c66f86": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of threat.indicator.url.extension", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "b9a631fe-5f49-4db2-a076-bcbf5410aec9", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "threat.indicator.url.extension" + }, + "b9a631fe-5f49-4db2-a076-bcbf5410aec9": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "15e2b5ad-2040-4253-89a6-60f085c66f86", + "15e2b5ad-2040-4253-89a6-60f085c66f86" + ], + "layerId": "9fa49c4c-5544-472d-afce-e51d6a5687fe", + "layerType": "data", + "legendDisplay": "default", + "metric": "b9a631fe-5f49-4db2-a076-bcbf5410aec9", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "treemap" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 31, + "i": "fda93ed1-72f0-4489-80b7-9e69d14f30aa", + "w": 23, + "x": 25, + "y": 0 + }, + "panelIndex": "fda93ed1-72f0-4489-80b7-9e69d14f30aa", + "title": "Most Popular File Extensions [Logs MISP]", + "type": "lens", + "version": "8.0.0-SNAPSHOT" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-0f63318a-a857-4d83-89ce-a94e2242b79e", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "0f63318a-a857-4d83-89ce-a94e2242b79e": { + "columnOrder": [ + "df0791a6-247c-4434-a43a-fdea7577ca34", + "77a48096-02aa-4b7a-8a7b-131fc38988bd" + ], + "columns": { + "77a48096-02aa-4b7a-8a7b-131fc38988bd": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "df0791a6-247c-4434-a43a-fdea7577ca34": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of threat.indicator.url.scheme", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "77a48096-02aa-4b7a-8a7b-131fc38988bd", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "threat.indicator.url.scheme" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "df0791a6-247c-4434-a43a-fdea7577ca34" + ], + "layerId": "0f63318a-a857-4d83-89ce-a94e2242b79e", + "layerType": "data", + "legendDisplay": "show", + "metric": "77a48096-02aa-4b7a-8a7b-131fc38988bd", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "donut" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d", + "w": 18, + "x": 7, + "y": 8 + }, + "panelIndex": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d", + "title": "Percentage of URL Schema used [Logs MISP]", + "type": "lens", + "version": "8.0.0-SNAPSHOT" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "db89074c-e1fe-4091-bdb1-e42a36e82bac": { + "columnOrder": [ + "b284ea2a-a2cd-4d08-bf44-fc73c08b5694", + "7ca1ac0b-2060-4431-a4b9-ec470af4448c" + ], + "columns": { + "7ca1ac0b-2060-4431-a4b9-ec470af4448c": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "b284ea2a-a2cd-4d08-bf44-fc73c08b5694": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Domains", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "7ca1ac0b-2060-4431-a4b9-ec470af4448c", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "threat.indicator.url.domain" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "7ca1ac0b-2060-4431-a4b9-ec470af4448c", + "isTransposed": false + }, + { + "columnId": "b284ea2a-a2cd-4d08-bf44-fc73c08b5694", + "isTransposed": false + } + ], + "layerId": "db89074c-e1fe-4091-bdb1-e42a36e82bac", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 16, + "i": "8994501a-1550-4cf2-857f-d6b6491ffb62", + "w": 18, + "x": 7, + "y": 23 + }, + "panelIndex": "8994501a-1550-4cf2-857f-d6b6491ffb62", + "title": "Most Popular Domains [Logs MISP]", + "type": "lens", + "version": "8.0.0-SNAPSHOT" + } + ], + "timeRestore": false, + "title": "[Logs MISP] URLs", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c7c6e8dc-b649-434c-9650-8a1564d4d676:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c7c6e8dc-b649-434c-9650-8a1564d4d676:indexpattern-datasource-layer-88a112e1-6da1-49d3-9177-19f98280c200", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "73a752f9-bde5-4396-8ede-e9e77a37182d:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "73a752f9-bde5-4396-8ede-e9e77a37182d:indexpattern-datasource-layer-a6fa56f8-32fa-405d-8771-dade4fe75d62", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "fda93ed1-72f0-4489-80b7-9e69d14f30aa:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "fda93ed1-72f0-4489-80b7-9e69d14f30aa:indexpattern-datasource-layer-9fa49c4c-5544-472d-afce-e51d6a5687fe", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d:indexpattern-datasource-layer-0f63318a-a857-4d83-89ce-a94e2242b79e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac", + "type": "index-pattern" + }, + { + "id": "ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294", + "name": "tag-ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294", + "type": "tag" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/test/packages/with-logstash/ti_misp/kibana/dashboard/ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294.json b/test/packages/with-logstash/ti_misp/kibana/dashboard/ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294.json new file mode 100644 index 0000000000..127c7707d2 --- /dev/null +++ b/test/packages/with-logstash/ti_misp/kibana/dashboard/ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294.json @@ -0,0 +1,665 @@ +{ + "attributes": { + "description": "Dashboard providing statistics about indicators ingested from the MISP integration", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "ti_misp.threat" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "ti_misp.threat" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "event.kind", + "negate": false, + "params": { + "query": "enrichment" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "enrichment" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "fontSize": 12, + "markdown": "**Navigation**\n\n**[MISP Overview (This Page)](/app/dashboards#/view/ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294)** \n[MISP Files](/app/dashboards#/view/ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877) \n[MISP URLs](/app/dashboards#/view/ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877) \n\n[Integrations Page](/app/integrations/detail/ti_misp/overview)\n\n\n**Overview**\n\nThis dashboard is a health overview related to the MISP integration.\n\nThe dashboard is made to provide general statistics and show the health of the ingestion of indicators from MISP. \n\nIt shows ingestion rates and provides a few filters for drilling down to specific indicator types retrieved from MISP.", + "openLinksInNewTab": false + }, + "title": "Overview Textbox [Logs AbuseCH]", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 36, + "i": "ce31769b-ab7b-48c0-8869-bdf0c943d013", + "w": 7, + "x": 0, + "y": 0 + }, + "panelIndex": "ce31769b-ab7b-48c0-8869-bdf0c943d013", + "type": "visualization", + "version": "8.0.0-SNAPSHOT" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "controls": [ + { + "fieldName": "threat.indicator.provider", + "id": "1641204819355", + "indexPatternRefName": "control_8fd54b49-92c1-4b90-a0c9-c1cedaa137b5_0_index_pattern", + "label": "Indicator Provider", + "options": { + "dynamicOptions": true, + "multiselect": true, + "order": "desc", + "size": 5, + "type": "terms" + }, + "parent": "", + "type": "list" + }, + { + "fieldName": "threat.indicator.type", + "id": "1641204843291", + "indexPatternRefName": "control_8fd54b49-92c1-4b90-a0c9-c1cedaa137b5_1_index_pattern", + "label": "Indicator Type", + "options": { + "dynamicOptions": true, + "multiselect": true, + "order": "desc", + "size": 5, + "type": "terms" + }, + "parent": "", + "type": "list" + } + ], + "pinFilters": false, + "updateFiltersOnChange": false, + "useTimeFilter": false + }, + "title": "", + "type": "input_control_vis", + "uiState": {} + } + }, + "gridData": { + "h": 8, + "i": "8fd54b49-92c1-4b90-a0c9-c1cedaa137b5", + "w": 26, + "x": 7, + "y": 0 + }, + "panelIndex": "8fd54b49-92c1-4b90-a0c9-c1cedaa137b5", + "title": "Indicator Selector [Logs MISP]", + "type": "visualization", + "version": "8.0.0-SNAPSHOT" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-d87f35ee-570a-488b-b618-6ada39b49df4", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "d87f35ee-570a-488b-b618-6ada39b49df4": { + "columnOrder": [ + "427cdedd-a93a-4f8e-93ce-f872b3809ae4", + "d0f21543-9576-400e-aeca-babc5407d3a7" + ], + "columns": { + "427cdedd-a93a-4f8e-93ce-f872b3809ae4": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of threat.indicator.type", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "d0f21543-9576-400e-aeca-babc5407d3a7", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "threat.indicator.type" + }, + "d0f21543-9576-400e-aeca-babc5407d3a7": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "427cdedd-a93a-4f8e-93ce-f872b3809ae4" + ], + "layerId": "d87f35ee-570a-488b-b618-6ada39b49df4", + "layerType": "data", + "legendDisplay": "default", + "metric": "d0f21543-9576-400e-aeca-babc5407d3a7", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "donut" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 22, + "i": "793c8c41-d3d3-4196-a0e6-aaac8bc1572b", + "w": 15, + "x": 33, + "y": 0 + }, + "panelIndex": "793c8c41-d3d3-4196-a0e6-aaac8bc1572b", + "title": "Total Indicators per type [Logs MISP]", + "type": "lens", + "version": "8.0.0-SNAPSHOT" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-0491a750-3050-47a9-bb99-c45984d3d28c", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "0491a750-3050-47a9-bb99-c45984d3d28c": { + "columnOrder": [ + "fb93835d-e6a1-49b4-8911-ae15b081da8a" + ], + "columns": { + "fb93835d-e6a1-49b4-8911-ae15b081da8a": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Indicators", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "fb93835d-e6a1-49b4-8911-ae15b081da8a", + "layerId": "0491a750-3050-47a9-bb99-c45984d3d28c", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 8, + "i": "7cb42a10-64fd-454a-8669-f579fa2d0850", + "w": 6, + "x": 7, + "y": 8 + }, + "panelIndex": "7cb42a10-64fd-454a-8669-f579fa2d0850", + "title": "Total Indicators [Logs MISP]", + "type": "lens", + "version": "8.0.0-SNAPSHOT" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-471f2a97-fb44-41a1-a5a0-2f68b9140ef5", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "471f2a97-fb44-41a1-a5a0-2f68b9140ef5": { + "columnOrder": [ + "16691165-3643-4658-bfc8-4bba834f2789", + "3e085a0a-8386-4f64-a629-44ae27b18878" + ], + "columns": { + "16691165-3643-4658-bfc8-4bba834f2789": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of threat.indicator.provider", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "3e085a0a-8386-4f64-a629-44ae27b18878", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "threat.indicator.provider" + }, + "3e085a0a-8386-4f64-a629-44ae27b18878": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "3e085a0a-8386-4f64-a629-44ae27b18878" + ], + "layerId": "471f2a97-fb44-41a1-a5a0-2f68b9140ef5", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal", + "showGridlines": false, + "splitAccessor": "16691165-3643-4658-bfc8-4bba834f2789" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "showSingleSeries": true + }, + "preferredSeriesType": "bar_horizontal", + "title": "Empty XY chart", + "valueLabels": "hide", + "valuesInLegend": true, + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 14, + "i": "f5937489-643e-4254-819d-b1290b4b74c2", + "w": 20, + "x": 13, + "y": 8 + }, + "panelIndex": "f5937489-643e-4254-819d-b1290b4b74c2", + "title": "Total Indicators per Provider [Logs MISP]", + "type": "lens", + "version": "8.0.0-SNAPSHOT" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7": { + "columnOrder": [ + "4d7ca99c-8a53-4a7f-96db-409251c0e391", + "b7f07f7c-1477-4f83-95f5-ad5cdc3a314b", + "0726d151-9edf-41cb-ab52-473ab27cf8b7" + ], + "columns": { + "0726d151-9edf-41cb-ab52-473ab27cf8b7": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "4d7ca99c-8a53-4a7f-96db-409251c0e391": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of event.dataset", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "0726d151-9edf-41cb-ab52-473ab27cf8b7", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 3 + }, + "scale": "ordinal", + "sourceField": "event.dataset" + }, + "b7f07f7c-1477-4f83-95f5-ad5cdc3a314b": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "interval": "30s" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "curveType": "CURVE_MONOTONE_X", + "fittingFunction": "Zero", + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "0726d151-9edf-41cb-ab52-473ab27cf8b7" + ], + "layerId": "c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "4d7ca99c-8a53-4a7f-96db-409251c0e391", + "xAccessor": "b7f07f7c-1477-4f83-95f5-ad5cdc3a314b" + } + ], + "legend": { + "isInside": false, + "isVisible": true, + "position": "bottom", + "shouldTruncate": false, + "showSingleSeries": true + }, + "preferredSeriesType": "line", + "title": "Empty XY chart", + "valueLabels": "hide", + "valuesInLegend": false, + "xTitle": "Date", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + }, + "yTitle": "Total Indicators" + } + }, + "title": "Indicators ingested per Datastream [Logs AbuseCH]", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 14, + "i": "77a4acf0-c56d-420f-b50b-8e5b082931c9", + "w": 41, + "x": 7, + "y": 22 + }, + "panelIndex": "77a4acf0-c56d-420f-b50b-8e5b082931c9", + "title": "Indicators ingested [Logs MISP]", + "type": "lens", + "version": "8.0.0-SNAPSHOT" + } + ], + "timeRestore": false, + "title": "[Logs MISP] Overview", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8fd54b49-92c1-4b90-a0c9-c1cedaa137b5:control_8fd54b49-92c1-4b90-a0c9-c1cedaa137b5_0_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8fd54b49-92c1-4b90-a0c9-c1cedaa137b5:control_8fd54b49-92c1-4b90-a0c9-c1cedaa137b5_1_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "793c8c41-d3d3-4196-a0e6-aaac8bc1572b:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "793c8c41-d3d3-4196-a0e6-aaac8bc1572b:indexpattern-datasource-layer-d87f35ee-570a-488b-b618-6ada39b49df4", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7cb42a10-64fd-454a-8669-f579fa2d0850:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7cb42a10-64fd-454a-8669-f579fa2d0850:indexpattern-datasource-layer-0491a750-3050-47a9-bb99-c45984d3d28c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f5937489-643e-4254-819d-b1290b4b74c2:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f5937489-643e-4254-819d-b1290b4b74c2:indexpattern-datasource-layer-471f2a97-fb44-41a1-a5a0-2f68b9140ef5", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "77a4acf0-c56d-420f-b50b-8e5b082931c9:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "77a4acf0-c56d-420f-b50b-8e5b082931c9:indexpattern-datasource-layer-c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7", + "type": "index-pattern" + }, + { + "id": "ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294", + "name": "tag-ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294", + "type": "tag" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/test/packages/with-logstash/ti_misp/kibana/tag/ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294.json b/test/packages/with-logstash/ti_misp/kibana/tag/ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294.json new file mode 100644 index 0000000000..b202c82473 --- /dev/null +++ b/test/packages/with-logstash/ti_misp/kibana/tag/ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294.json @@ -0,0 +1,14 @@ +{ + "attributes": { + "color": "#6092C0", + "description": "", + "name": "MISP" + }, + "coreMigrationVersion": "8.0.0", + "id": "ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294", + "migrationVersion": { + "tag": "8.0.0" + }, + "references": [], + "type": "tag" +} \ No newline at end of file diff --git a/test/packages/with-logstash/ti_misp/kibana/tags.yml b/test/packages/with-logstash/ti_misp/kibana/tags.yml new file mode 100644 index 0000000000..47f20a8f55 --- /dev/null +++ b/test/packages/with-logstash/ti_misp/kibana/tags.yml @@ -0,0 +1,4 @@ +- text: Security Solution + asset_types: + - dashboard + - search diff --git a/test/packages/with-logstash/ti_misp/manifest.yml b/test/packages/with-logstash/ti_misp/manifest.yml new file mode 100644 index 0000000000..69a00201dc --- /dev/null +++ b/test/packages/with-logstash/ti_misp/manifest.yml @@ -0,0 +1,24 @@ +name: ti_misp +title: MISP +version: "1.22.0" +description: Ingest threat intelligence indicators from MISP platform with Elastic Agent. +type: integration +format_version: 2.11.0 +categories: ["security", "threat_intel"] +conditions: + kibana.version: ^8.7.1 +icons: + - src: /img/misp.svg + title: MISP + size: 216x216 + type: image/svg+xml +policy_templates: + - name: ti_misp + title: MISP + description: Ingest threat intelligence indicators from MISP platform with Elastic Agent. + inputs: + - type: httpjson + title: "Ingest threat intelligence indicators from MISP platform with Elastic Agent." + description: "Ingest threat intelligence indicators from MISP platform with Elastic Agent." +owner: + github: elastic/security-external-integrations From 89428181979ef8b10c5719d01daef44929c6750b Mon Sep 17 00:00:00 2001 From: Bharat Pasupula Date: Tue, 26 Sep 2023 21:50:08 +0200 Subject: [PATCH 08/17] Add tests for CI --- .buildkite/pipeline.trigger.integration.tests.sh | 1 + Makefile | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/.buildkite/pipeline.trigger.integration.tests.sh b/.buildkite/pipeline.trigger.integration.tests.sh index d6671bcf36..23e76440c4 100755 --- a/.buildkite/pipeline.trigger.integration.tests.sh +++ b/.buildkite/pipeline.trigger.integration.tests.sh @@ -34,6 +34,7 @@ CHECK_PACKAGES_TESTS=( test-check-packages-with-kind test-check-packages-with-custom-agent test-check-packages-benchmarks + test-check-packages-with-logstash ) for test in ${CHECK_PACKAGES_TESTS[@]}; do echo " - label: \":go: Running integration test: ${test}\"" diff --git a/Makefile b/Makefile index a7143a6394..87ab314f0a 100644 --- a/Makefile +++ b/Makefile @@ -70,7 +70,7 @@ test-stack-command-8x: test-stack-command: test-stack-command-default test-stack-command-7x test-stack-command-800 test-stack-command-8x -test-check-packages: test-check-packages-with-kind test-check-packages-other test-check-packages-parallel test-check-packages-with-custom-agent test-check-packages-benchmarks test-check-packages-false-positives +test-check-packages: test-check-packages-with-kind test-check-packages-other test-check-packages-parallel test-check-packages-with-custom-agent test-check-packages-benchmarks test-check-packages-false-positives test-check-packages-with-logstash test-check-packages-with-kind: PACKAGE_TEST_TYPE=with-kind ./scripts/test-check-packages.sh @@ -81,8 +81,8 @@ test-check-packages-other: test-check-packages-false-positives: PACKAGE_TEST_TYPE=false_positives ./scripts/test-check-false-positives.sh -test-check-packages-false-positives: - PACKAGE_TEST_TYPE=with-logstash ./scripts/test-check-packages-with-logstash.sh +test-check-packages-with-logstash: + PACKAGE_TEST_TYPE=with-logstash ./scripts/test-check-packages-with-logstash.sh test-check-packages-benchmarks: PACKAGE_TEST_TYPE=benchmarks ./scripts/test-check-packages.sh From eee61755de9713427cc74785fa36c1bdb3274d32 Mon Sep 17 00:00:00 2001 From: Bharat Pasupula Date: Tue, 26 Sep 2023 22:18:10 +0200 Subject: [PATCH 09/17] Fix test errors --- internal/stack/_static/kibana.yml.tmpl | 1 - scripts/test-check-packages-with-logstash.sh | 67 +------------------ .../data_stream/threat/fields/base-fields.yml | 3 + .../threat_attributes/fields/base-fields.yml | 3 + 4 files changed, 8 insertions(+), 66 deletions(-) diff --git a/internal/stack/_static/kibana.yml.tmpl b/internal/stack/_static/kibana.yml.tmpl index 19fdb45e77..b75da58325 100644 --- a/internal/stack/_static/kibana.yml.tmpl +++ b/internal/stack/_static/kibana.yml.tmpl @@ -21,7 +21,6 @@ elasticsearch.serviceAccountToken: "AAEAAWVsYXN0aWMva2liYW5hL2VsYXN0aWMtcGFja2Fn monitoring.ui.container.elasticsearch.enabled: true -xpack.fleet.agents.elasticsearch.hosts: ["https://elasticsearch:9200"] {{ end }} xpack.fleet.registryUrl: "https://package-registry:8080" diff --git a/scripts/test-check-packages-with-logstash.sh b/scripts/test-check-packages-with-logstash.sh index 19b7ca93f2..ec0b2aea2a 100755 --- a/scripts/test-check-packages-with-logstash.sh +++ b/scripts/test-check-packages-with-logstash.sh @@ -49,69 +49,6 @@ elastic-package stack status # Run package tests for d in test/packages/${PACKAGE_TEST_TYPE:-with-logstash}/${PACKAGE_UNDER_TEST:-*}/; do - check_build_output $d - check_expected_errors $d + cd $d + elastic-package test -v --report-format xUnit --report-output file --defer-cleanup 1s --test-coverage done - -function check_expected_errors() { - local package_root=$1 - local package_name=$(basename $1) - local expected_errors_file="${package_root%/}.expected_errors" - local result_tests="build/test-results/${package_name}_*.xml" - local results_no_spaces="build/test-results-no-spaces.xml" - - if [ ! -f ${expected_errors_file} ]; then - echo "No unexpected errors file in ${expected_errors_file}" - return - fi - - rm -f ${result_tests} - ( - cd $package_root - elastic-package test -v --report-format xUnit --report-output file --test-coverage --defer-cleanup 1s || true - ) - - cat ${result_tests} | tr -d '\n' > ${results_no_spaces} - - # check number of expected errors - local number_errors=$(cat ${result_tests} | grep "" | wc -l) - local expected_errors=$(cat ${expected_errors_file} | wc -l) - - if [ ${number_errors} -ne ${expected_errors} ]; then - echo "Error: There are unexpected errors in ${package_name}" - exit 1 - fi - - # check whether or not the expected errors exist in the xml files - while read -r line; do - cat ${results_no_spaces} | grep -E "${line}" - done < ${expected_errors_file} - - rm -f ${result_tests} - rm -f ${results_no_spaces} -} - -function check_build_output() { - local package_root=$1 - local expected_build_output="${package_root%/}.build_output" - local output_file="$PWD/build/elastic-package-output" - - if [ ! -f ${expected_build_output} ]; then - ( - cd $package_root - elastic-package build -v - ) - return - fi - - ( - cd $package_root - mkdir -p $(dirname $output_file) - elastic-package build 2>&1 | tee $output_file || true # Ignore errors here - ) - - diff -w -u $expected_build_output $output_file || ( - echo "Error: Build output has differences with expected output" - exit 1 - ) -} diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat/fields/base-fields.yml b/test/packages/with-logstash/ti_misp/data_stream/threat/fields/base-fields.yml index 337375ce74..156eb2e1ef 100644 --- a/test/packages/with-logstash/ti_misp/data_stream/threat/fields/base-fields.yml +++ b/test/packages/with-logstash/ti_misp/data_stream/threat/fields/base-fields.yml @@ -26,3 +26,6 @@ - name: "@timestamp" type: date description: Event timestamp. +- name: "@version" + type: string + description: Event version. diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/fields/base-fields.yml b/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/fields/base-fields.yml index 10b0f62a86..9f408466a4 100644 --- a/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/fields/base-fields.yml +++ b/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/fields/base-fields.yml @@ -26,3 +26,6 @@ - name: "@timestamp" type: date description: Event timestamp. +- name: "@version" + type: string + description: Event version. \ No newline at end of file From d5000846ad981c1b31f3643b322ded3ee1220ade Mon Sep 17 00:00:00 2001 From: Bharat Pasupula Date: Wed, 27 Sep 2023 09:17:49 +0200 Subject: [PATCH 10/17] Fix package for testing --- scripts/test-check-packages-with-logstash.sh | 6 +++--- .../ti_misp/data_stream/threat/fields/base-fields.yml | 2 +- .../data_stream/threat_attributes/fields/base-fields.yml | 4 ++-- test/packages/with-logstash/ti_misp/docs/README.md | 2 ++ 4 files changed, 8 insertions(+), 6 deletions(-) diff --git a/scripts/test-check-packages-with-logstash.sh b/scripts/test-check-packages-with-logstash.sh index ec0b2aea2a..7b70c74f51 100755 --- a/scripts/test-check-packages-with-logstash.sh +++ b/scripts/test-check-packages-with-logstash.sh @@ -8,12 +8,12 @@ function cleanup() { # Dump stack logs elastic-package stack dump -v --output "build/elastic-stack-dump/check-${PACKAGE_UNDER_TEST:-${PACKAGE_TEST_TYPE:-*}}" - # Delete the logstash profile - elastic-package profiles delete logstash -v - # Take down the stack elastic-package stack down -v + # Delete the logstash profile + elastic-package profiles delete logstash -v + # Clean used resources for d in test/packages/${PACKAGE_TEST_TYPE:-with-logstash}/${PACKAGE_UNDER_TEST:-*}/; do ( diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat/fields/base-fields.yml b/test/packages/with-logstash/ti_misp/data_stream/threat/fields/base-fields.yml index 156eb2e1ef..4e58dd4312 100644 --- a/test/packages/with-logstash/ti_misp/data_stream/threat/fields/base-fields.yml +++ b/test/packages/with-logstash/ti_misp/data_stream/threat/fields/base-fields.yml @@ -27,5 +27,5 @@ type: date description: Event timestamp. - name: "@version" - type: string + type: text description: Event version. diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/fields/base-fields.yml b/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/fields/base-fields.yml index 9f408466a4..fdf2687869 100644 --- a/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/fields/base-fields.yml +++ b/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/fields/base-fields.yml @@ -27,5 +27,5 @@ type: date description: Event timestamp. - name: "@version" - type: string - description: Event version. \ No newline at end of file + type: text + description: Event version. diff --git a/test/packages/with-logstash/ti_misp/docs/README.md b/test/packages/with-logstash/ti_misp/docs/README.md index 8af83e05a2..5d16e0bceb 100644 --- a/test/packages/with-logstash/ti_misp/docs/README.md +++ b/test/packages/with-logstash/ti_misp/docs/README.md @@ -16,6 +16,7 @@ The filters themselves are based on the [MISP API documentation](https://www.cir | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | +| @version | Event version. | text | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | @@ -293,6 +294,7 @@ This data stream uses the `/attributes/restSearch` API endpoint which returns mo | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | +| @version | Event version. | text | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | From d28d2f20982b2b7a71fec06165f81676088149cc Mon Sep 17 00:00:00 2001 From: Bharat Pasupula Date: Wed, 27 Sep 2023 10:27:51 +0200 Subject: [PATCH 11/17] Add docs and fix script --- docs/howto/system_testing.md | 19 +++++++++++++++++++ scripts/test-check-packages-with-logstash.sh | 10 ++++------ 2 files changed, 23 insertions(+), 6 deletions(-) diff --git a/docs/howto/system_testing.md b/docs/howto/system_testing.md index 15655e7021..8000118e99 100644 --- a/docs/howto/system_testing.md +++ b/docs/howto/system_testing.md @@ -579,6 +579,25 @@ Example `expected_errors` file content: * observed hit count 4 did not match expected hit count 2 ``` +### System testing with logstash + +It is possible to test packages that output to logstash which in turn publishes events to elasticsearch. +A profile config option `stack.logstash_enabled` has been added to profile configuration. + +When this profile config is enabled +- Logstash output is added in Fleet with id `fleet-logstash-output` +- Logstash service is created in the stack which reads from `elastic-agent` input and outputs to `elasticsearch`. +- Logstash is also configured with `elastic-integration` plugin. Once configured to point to an elasticsearch cluster, this filter will detect which ingest pipeline (if any) should be executed for each event, auto-detecting the event’s data-stream and its default pipeline. + +A sample workflow would look like: + +- You can [create](https://github.com/elastic/elastic-package#elastic-package-profiles-create) a new profile / [use existing profile](https://github.com/elastic/elastic-package#elastic-package-profiles-use) to test this. +- Navigate to `~/.elastic-package/profiles//`. +- Rename `config.yml.example` to `config.yml` [ If config is not used before ] +- Uncomment the line `# stack.logstash_enabled: true` +- Run `elastic-package stack up -d -v` +- Navigate to the package folder in integrations and run `elastic-package test system -v` + ## Continuous Integration `elastic-package` runs a set of system tests on some [dummy packages](https://github.com/elastic/elastic-package/tree/main/test/packages) to ensure it's functionalities work as expected. This allows to test changes affecting package testing within `elastic-package` before merging and releasing the changes. diff --git a/scripts/test-check-packages-with-logstash.sh b/scripts/test-check-packages-with-logstash.sh index 7b70c74f51..0f86e12d9b 100755 --- a/scripts/test-check-packages-with-logstash.sh +++ b/scripts/test-check-packages-with-logstash.sh @@ -16,10 +16,8 @@ function cleanup() { # Clean used resources for d in test/packages/${PACKAGE_TEST_TYPE:-with-logstash}/${PACKAGE_UNDER_TEST:-*}/; do - ( - cd $d - elastic-package clean -v - ) + cd $d + elastic-package clean -v done exit $r @@ -34,9 +32,9 @@ elastic-package profiles create logstash -v elastic-package profiles use logstash # Rename the config.yml.example to config.yml -mv ~/.elastic-package/profiles/logstash/config.yml.example ~/.elastic-package/profiles/logstash/config.yml -v +mv ~/.elastic-package/profiles/logstash/config.yml.example ~/.elastic-package/profiles/logstash/config.yml -# Add config to enable logstash +# Append config to enable logstash echo "stack.logstash_enabled: true" >> ~/.elastic-package/profiles/logstash/config.yml # Update the stack From 5661cb24f7ea2853e1146b02c22ab363f08ecade Mon Sep 17 00:00:00 2001 From: Bharat Pasupula Date: Wed, 27 Sep 2023 11:07:40 +0200 Subject: [PATCH 12/17] Fix script --- scripts/test-check-packages-with-logstash.sh | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/scripts/test-check-packages-with-logstash.sh b/scripts/test-check-packages-with-logstash.sh index 0f86e12d9b..0ce9d4f98b 100755 --- a/scripts/test-check-packages-with-logstash.sh +++ b/scripts/test-check-packages-with-logstash.sh @@ -16,8 +16,11 @@ function cleanup() { # Clean used resources for d in test/packages/${PACKAGE_TEST_TYPE:-with-logstash}/${PACKAGE_UNDER_TEST:-*}/; do + ( cd $d elastic-package clean -v + ) + cd - done exit $r @@ -26,6 +29,7 @@ function cleanup() { trap cleanup EXIT export ELASTIC_PACKAGE_LINKS_FILE_PATH="$(pwd)/scripts/links_table.yml" +OLDPWD=$PWD # Create a logstash profile and use it elastic-package profiles create logstash -v @@ -47,6 +51,9 @@ elastic-package stack status # Run package tests for d in test/packages/${PACKAGE_TEST_TYPE:-with-logstash}/${PACKAGE_UNDER_TEST:-*}/; do +( cd $d elastic-package test -v --report-format xUnit --report-output file --defer-cleanup 1s --test-coverage +) +cd - done From 0440b0576c0dc69e6ad892590f57f1d473559119 Mon Sep 17 00:00:00 2001 From: Bharat Pasupula Date: Wed, 27 Sep 2023 13:35:37 +0200 Subject: [PATCH 13/17] Move logstash tests under test-check-packages --- Makefile | 2 +- scripts/test-check-packages-with-logstash.sh | 59 -------------------- scripts/test-check-packages.sh | 17 ++++++ 3 files changed, 18 insertions(+), 60 deletions(-) delete mode 100755 scripts/test-check-packages-with-logstash.sh diff --git a/Makefile b/Makefile index 87ab314f0a..8ef78ae89c 100644 --- a/Makefile +++ b/Makefile @@ -82,7 +82,7 @@ test-check-packages-false-positives: PACKAGE_TEST_TYPE=false_positives ./scripts/test-check-false-positives.sh test-check-packages-with-logstash: - PACKAGE_TEST_TYPE=with-logstash ./scripts/test-check-packages-with-logstash.sh + PACKAGE_TEST_TYPE=with-logstash ./scripts/test-check-packages.sh test-check-packages-benchmarks: PACKAGE_TEST_TYPE=benchmarks ./scripts/test-check-packages.sh diff --git a/scripts/test-check-packages-with-logstash.sh b/scripts/test-check-packages-with-logstash.sh deleted file mode 100755 index 0ce9d4f98b..0000000000 --- a/scripts/test-check-packages-with-logstash.sh +++ /dev/null @@ -1,59 +0,0 @@ -#!/bin/bash - -set -euxo pipefail - -function cleanup() { - r=$? - - # Dump stack logs - elastic-package stack dump -v --output "build/elastic-stack-dump/check-${PACKAGE_UNDER_TEST:-${PACKAGE_TEST_TYPE:-*}}" - - # Take down the stack - elastic-package stack down -v - - # Delete the logstash profile - elastic-package profiles delete logstash -v - - # Clean used resources - for d in test/packages/${PACKAGE_TEST_TYPE:-with-logstash}/${PACKAGE_UNDER_TEST:-*}/; do - ( - cd $d - elastic-package clean -v - ) - cd - - done - - exit $r -} - -trap cleanup EXIT - -export ELASTIC_PACKAGE_LINKS_FILE_PATH="$(pwd)/scripts/links_table.yml" -OLDPWD=$PWD - -# Create a logstash profile and use it -elastic-package profiles create logstash -v -elastic-package profiles use logstash - -# Rename the config.yml.example to config.yml -mv ~/.elastic-package/profiles/logstash/config.yml.example ~/.elastic-package/profiles/logstash/config.yml - -# Append config to enable logstash -echo "stack.logstash_enabled: true" >> ~/.elastic-package/profiles/logstash/config.yml - -# Update the stack -elastic-package stack update -v - -# Boot up the stack -elastic-package stack up -d -v - -elastic-package stack status - -# Run package tests -for d in test/packages/${PACKAGE_TEST_TYPE:-with-logstash}/${PACKAGE_UNDER_TEST:-*}/; do -( - cd $d - elastic-package test -v --report-format xUnit --report-output file --defer-cleanup 1s --test-coverage -) -cd - -done diff --git a/scripts/test-check-packages.sh b/scripts/test-check-packages.sh index 384fe4add3..2e013ed676 100755 --- a/scripts/test-check-packages.sh +++ b/scripts/test-check-packages.sh @@ -22,6 +22,11 @@ cleanup() { # Take down the stack elastic-package stack down -v + if [ "${PACKAGE_TEST_TYPE:-other}" == "with-logstash" ]; then + # Delete the logstash profile + elastic-package profiles delete logstash -v + fi + # Clean used resources for d in test/packages/${PACKAGE_TEST_TYPE:-other}/${PACKAGE_UNDER_TEST:-*}/; do ( @@ -47,6 +52,18 @@ for d in test/packages/${PACKAGE_TEST_TYPE:-other}/${PACKAGE_UNDER_TEST:-*}/; do done cd - +if [ "${PACKAGE_TEST_TYPE:-other}" == "with-logstash" ]; then + # Create a logstash profile and use it + elastic-package profiles create logstash -v + elastic-package profiles use logstash + + # Rename the config.yml.example to config.yml + mv ~/.elastic-package/profiles/logstash/config.yml.example ~/.elastic-package/profiles/logstash/config.yml + + # Append config to enable logstash + echo "stack.logstash_enabled: true" >> ~/.elastic-package/profiles/logstash/config.yml +fi + # Update the stack elastic-package stack update -v From 7d096e90c492287b3fe839fe76acffef6c14fcde Mon Sep 17 00:00:00 2001 From: Bharat Pasupula Date: Wed, 27 Sep 2023 14:40:59 +0200 Subject: [PATCH 14/17] Address pr comments --- internal/install/application_configuration.go | 2 +- internal/stack/config.go | 2 -- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/internal/install/application_configuration.go b/internal/install/application_configuration.go index f7a4946f5e..bdac93cc62 100644 --- a/internal/install/application_configuration.go +++ b/internal/install/application_configuration.go @@ -88,7 +88,7 @@ func (s stack) ImageRefOverridesForVersion(version string) ImageRefs { ElasticAgent: checkImageRefOverride("ELASTIC_AGENT_IMAGE_REF_OVERRIDE", stringOrDefault(appConfigImageRefs.ElasticAgent, "")), Elasticsearch: checkImageRefOverride("ELASTICSEARCH_IMAGE_REF_OVERRIDE", stringOrDefault(appConfigImageRefs.Elasticsearch, "")), Kibana: checkImageRefOverride("KIBANA_IMAGE_REF_OVERRIDE", stringOrDefault(appConfigImageRefs.Kibana, "")), - Logstash: checkImageRefOverride("LOGSTAHS_IMAGE_REF_OVERRIDE", stringOrDefault(appConfigImageRefs.Logstash, "")), + Logstash: checkImageRefOverride("LOGSTASH_IMAGE_REF_OVERRIDE", stringOrDefault(appConfigImageRefs.Logstash, "")), } } diff --git a/internal/stack/config.go b/internal/stack/config.go index 8b8aca63cc..01b0cfadf1 100644 --- a/internal/stack/config.go +++ b/internal/stack/config.go @@ -25,7 +25,6 @@ type Config struct { ElasticsearchPassword string `json:"elasticsearch_password,omitempty"` KibanaHost string `json:"kibana_host,omitempty"` CACertFile string `json:"ca_cert_file,omitempty"` - LogstashHost string `json:"logstash_host,omitempty"` } func configPath(profile *profile.Profile) string { @@ -42,7 +41,6 @@ func defaultConfig(profile *profile.Profile) Config { ElasticsearchPassword: elasticsearchPassword, KibanaHost: "https://127.0.0.1:5601", CACertFile: profile.Path(CACertificateFile), - LogstashHost: "https://127.0.0.1:5044", } } From 539098b96a4acf21005129e16b5ab86fb2bb1228 Mon Sep 17 00:00:00 2001 From: Bharat Pasupula Date: Thu, 28 Sep 2023 15:30:09 +0200 Subject: [PATCH 15/17] Lighten the test package and fix @version in logstash event --- internal/stack/_static/logstash.conf.tmpl | 1 + .../ti_misp/_dev/build/build.yml | 2 +- .../ti_misp/_dev/build/docs/README.md | 24 - .../with-logstash/ti_misp/changelog.yml | 10 + .../pipeline/test-misp-attributes-ndjson.log | 26 - ...test-misp-attributes-ndjson.log-config.yml | 3 - ...t-misp-attributes-ndjson.log-expected.json | 2607 ----------------- .../test/pipeline/test-misp-long-ndjson.log | 2 - .../test-misp-long-ndjson.log-config.yml | 2 - .../test-misp-long-ndjson.log-expected.json | 221 -- .../test/pipeline/test-misp-sample-ndjson.log | 16 - .../test-misp-sample-ndjson.log-config.yml | 3 - .../test-misp-sample-ndjson.log-expected.json | 1222 -------- .../elasticsearch/ingest_pipeline/default.yml | 2 +- .../data_stream/threat/fields/base-fields.yml | 3 - .../data_stream/threat/sample_event.json | 2 +- .../_dev/test/pipeline/test-common-config.yml | 3 - .../test/pipeline/test-misp-sample-ndjson.log | 12 - .../test-misp-sample-ndjson.log-expected.json | 767 ----- .../_dev/test/system/test-default-config.yml | 13 - .../agent/stream/httpjson.yml.hbs | 80 - .../elasticsearch/ingest_pipeline/default.yml | 447 --- .../threat_attributes/fields/agent.yml | 198 -- .../threat_attributes/fields/base-fields.yml | 31 - .../threat_attributes/fields/beats.yml | 12 - .../threat_attributes/fields/ecs.yml | 78 - .../threat_attributes/fields/fields.yml | 277 -- .../threat_attributes/manifest.yml | 112 - .../threat_attributes/sample_event.json | 87 - .../with-logstash/ti_misp/docs/README.md | 4 +- ...-32d9c020-71ea-11ec-8197-5d53a5437877.json | 952 ------ ...-399bb8d0-71ec-11ec-8197-5d53a5437877.json | 694 ----- ...-56ed8040-6c7d-11ec-9bce-f7a4dc94c294.json | 665 ----- ...-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294.json | 14 - .../with-logstash/ti_misp/kibana/tags.yml | 4 - .../with-logstash/ti_misp/manifest.yml | 8 +- 36 files changed, 20 insertions(+), 8584 deletions(-) delete mode 100644 test/packages/with-logstash/ti_misp/_dev/build/docs/README.md delete mode 100644 test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-attributes-ndjson.log delete mode 100644 test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-attributes-ndjson.log-config.yml delete mode 100644 test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-attributes-ndjson.log-expected.json delete mode 100644 test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-long-ndjson.log delete mode 100644 test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-long-ndjson.log-config.yml delete mode 100644 test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-long-ndjson.log-expected.json delete mode 100644 test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-sample-ndjson.log delete mode 100644 test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-sample-ndjson.log-config.yml delete mode 100644 test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-sample-ndjson.log-expected.json delete mode 100644 test/packages/with-logstash/ti_misp/data_stream/threat_attributes/_dev/test/pipeline/test-common-config.yml delete mode 100644 test/packages/with-logstash/ti_misp/data_stream/threat_attributes/_dev/test/pipeline/test-misp-sample-ndjson.log delete mode 100644 test/packages/with-logstash/ti_misp/data_stream/threat_attributes/_dev/test/pipeline/test-misp-sample-ndjson.log-expected.json delete mode 100644 test/packages/with-logstash/ti_misp/data_stream/threat_attributes/_dev/test/system/test-default-config.yml delete mode 100644 test/packages/with-logstash/ti_misp/data_stream/threat_attributes/agent/stream/httpjson.yml.hbs delete mode 100644 test/packages/with-logstash/ti_misp/data_stream/threat_attributes/elasticsearch/ingest_pipeline/default.yml delete mode 100644 test/packages/with-logstash/ti_misp/data_stream/threat_attributes/fields/agent.yml delete mode 100644 test/packages/with-logstash/ti_misp/data_stream/threat_attributes/fields/base-fields.yml delete mode 100644 test/packages/with-logstash/ti_misp/data_stream/threat_attributes/fields/beats.yml delete mode 100644 test/packages/with-logstash/ti_misp/data_stream/threat_attributes/fields/ecs.yml delete mode 100644 test/packages/with-logstash/ti_misp/data_stream/threat_attributes/fields/fields.yml delete mode 100644 test/packages/with-logstash/ti_misp/data_stream/threat_attributes/manifest.yml delete mode 100644 test/packages/with-logstash/ti_misp/data_stream/threat_attributes/sample_event.json delete mode 100644 test/packages/with-logstash/ti_misp/kibana/dashboard/ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877.json delete mode 100644 test/packages/with-logstash/ti_misp/kibana/dashboard/ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877.json delete mode 100644 test/packages/with-logstash/ti_misp/kibana/dashboard/ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294.json delete mode 100644 test/packages/with-logstash/ti_misp/kibana/tag/ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294.json delete mode 100644 test/packages/with-logstash/ti_misp/kibana/tags.yml diff --git a/internal/stack/_static/logstash.conf.tmpl b/internal/stack/_static/logstash.conf.tmpl index f75abafea8..88687dcfec 100644 --- a/internal/stack/_static/logstash.conf.tmpl +++ b/internal/stack/_static/logstash.conf.tmpl @@ -11,6 +11,7 @@ input { filter { elastic_integration { + remove_field => ['@version'] hosts => ["https://elasticsearch:9200"] username => {{ fact "username" }} password => {{ fact "password" }} diff --git a/test/packages/with-logstash/ti_misp/_dev/build/build.yml b/test/packages/with-logstash/ti_misp/_dev/build/build.yml index c8eeec8cac..2e15cac656 100644 --- a/test/packages/with-logstash/ti_misp/_dev/build/build.yml +++ b/test/packages/with-logstash/ti_misp/_dev/build/build.yml @@ -1,3 +1,3 @@ dependencies: ecs: - reference: git@v8.9.0 + reference: "git@v8.10.0" diff --git a/test/packages/with-logstash/ti_misp/_dev/build/docs/README.md b/test/packages/with-logstash/ti_misp/_dev/build/docs/README.md deleted file mode 100644 index 6403590840..0000000000 --- a/test/packages/with-logstash/ti_misp/_dev/build/docs/README.md +++ /dev/null @@ -1,24 +0,0 @@ -# MISP Integration - -The MISP integration uses the [REST API from the running MISP instance](https://www.circl.lu/doc/misp/automation/#automation-api) to retrieve indicators and Threat Intelligence. - -## Logs - -### Threat - -The MISP integration configuration allows to set the polling interval, how far back it -should look initially, and optionally any filters used to filter the results. - -The filters themselves are based on the [MISP API documentation](https://www.circl.lu/doc/misp/automation/#search) and should support all documented fields. - -{{fields "threat"}} - -{{event "threat"}} - -### Threat Attributes - -The MISP integration configuration allows to set the polling interval, how far back it should look initially, and optionally any filters used to filter the results. -This data stream uses the `/attributes/restSearch` API endpoint which returns more granular information regarding MISP attributes and additional information. - -{{fields "threat_attributes"}} - diff --git a/test/packages/with-logstash/ti_misp/changelog.yml b/test/packages/with-logstash/ti_misp/changelog.yml index 1fcea4408d..9c46b365d8 100644 --- a/test/packages/with-logstash/ti_misp/changelog.yml +++ b/test/packages/with-logstash/ti_misp/changelog.yml @@ -1,4 +1,14 @@ # newer versions go on top +- version: 1.24.0 + changes: + - description: ECS version updated to 8.10.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/7920 +- version: 1.23.0 + changes: + - description: "The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added 'owner.type: elastic' to package manifest." + type: enhancement + link: https://github.com/elastic/integrations/pull/7883 - version: "1.22.0" changes: - description: Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI. diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-attributes-ndjson.log b/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-attributes-ndjson.log deleted file mode 100644 index db8957404b..0000000000 --- a/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-attributes-ndjson.log +++ /dev/null @@ -1,26 +0,0 @@ -{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Payload installation","comment":"Contextual comment for the file md5 attribute","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3631","first_seen":null,"id":"266258","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1621588162","to_ids":false,"type":"md5","uuid":"34c59b06-d35d-4808-919c-4b452f185c52","value":"70461da8b94c6ca5d2fda3260c5a8c3b"},"EventReport":[],"Galaxy":[],"Object":[],"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[{"Event":{"Org":{"id":"1","name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"analysis":"0","date":"2021-05-21","distribution":"1","id":"3633","info":"Test event 3 objects and attributes","org_id":"1","orgc_id":"1","published":false,"threat_level_id":"1","timestamp":"1621592532","uuid":"4edb20c7-8175-484d-bdcd-fce6872c1ef3"}}],"ShadowAttribute":[],"analysis":"0","attribute_count":"1","date":"2021-05-21","disable_correlation":false,"distribution":"1","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3631","info":"Test event 1 just atrributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1621588162","uuid":"8ca56ae9-3747-4172-93d2-808da1a4eaf3"}} -{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Artifacts dropped","comment":"Artefact dropped for test 2","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3632","first_seen":null,"id":"266259","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1621588675","to_ids":true,"type":"md5","uuid":"73102a1c-7432-47b7-9644-6f9d46b6887c","value":"60461da8b94c6ca5d2fda3260c5a8c3b"},"EventReport":[],"Galaxy":[],"Object":[],"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[{"Event":{"Org":{"id":"1","name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"2","name":"CIRCL","uuid":"55f6ea5e-2c60-40e5-964f-47a8950d210f"},"analysis":"2","date":"2018-03-26","distribution":"3","id":"684","info":"OSINT - Forgot About Default Accounts? No Worries, GoScanSSH Didn’t","org_id":"1","orgc_id":"2","published":true,"threat_level_id":"3","timestamp":"1523865236","uuid":"5acdb4d0-b534-4713-9612-4a1d950d210f"}}],"ShadowAttribute":[],"analysis":"0","attribute_count":"4","date":"2021-05-21","disable_correlation":false,"distribution":"1","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3632","info":"Test event 2 just more atrributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"2","timestamp":"1621588836","uuid":"efbca287-edb5-4ad7-b8e4-fe9da514a763"}} -{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Network activity","comment":"Conext for domain type attribute event 2","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3632","first_seen":null,"id":"266260","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1621588744","to_ids":true,"type":"domain","uuid":"a52a1b47-a580-4f33-96ba-939cf9146c9b","value":"baddom.madeup.local"},"EventReport":[],"Galaxy":[],"Object":[],"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[{"Event":{"Org":{"id":"1","name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"2","name":"CIRCL","uuid":"55f6ea5e-2c60-40e5-964f-47a8950d210f"},"analysis":"2","date":"2018-03-26","distribution":"3","id":"684","info":"OSINT - Forgot About Default Accounts? No Worries, GoScanSSH Didn’t","org_id":"1","orgc_id":"2","published":true,"threat_level_id":"3","timestamp":"1523865236","uuid":"5acdb4d0-b534-4713-9612-4a1d950d210f"}}],"ShadowAttribute":[],"analysis":"0","attribute_count":"4","date":"2021-05-21","disable_correlation":false,"distribution":"1","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3632","info":"Test event 2 just more atrributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"2","timestamp":"1621588836","uuid":"efbca287-edb5-4ad7-b8e4-fe9da514a763"}} -{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Network activity","comment":"Ip-src attribute context for event2","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3632","first_seen":null,"id":"266261","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1621588800","to_ids":false,"type":"ip-src","uuid":"3dbf224b-7c84-4c4b-9f95-80f28954bd10","value":"10.0.0.1"},"EventReport":[],"Galaxy":[],"Object":[],"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[{"Event":{"Org":{"id":"1","name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"2","name":"CIRCL","uuid":"55f6ea5e-2c60-40e5-964f-47a8950d210f"},"analysis":"2","date":"2018-03-26","distribution":"3","id":"684","info":"OSINT - Forgot About Default Accounts? No Worries, GoScanSSH Didn’t","org_id":"1","orgc_id":"2","published":true,"threat_level_id":"3","timestamp":"1523865236","uuid":"5acdb4d0-b534-4713-9612-4a1d950d210f"}}],"ShadowAttribute":[],"analysis":"0","attribute_count":"4","date":"2021-05-21","disable_correlation":false,"distribution":"1","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3632","info":"Test event 2 just more atrributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"2","timestamp":"1621588836","uuid":"efbca287-edb5-4ad7-b8e4-fe9da514a763"}} -{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Network activity","comment":"ip-dst context for event id 2","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3632","first_seen":null,"id":"266262","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1621588836","to_ids":true,"type":"ip-dst","uuid":"db4bfd36-7374-4f8c-9031-60e56d4bba30","value":"192.168.1.50"},"EventReport":[],"Galaxy":[],"Object":[],"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[{"Event":{"Org":{"id":"1","name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"2","name":"CIRCL","uuid":"55f6ea5e-2c60-40e5-964f-47a8950d210f"},"analysis":"2","date":"2018-03-26","distribution":"3","id":"684","info":"OSINT - Forgot About Default Accounts? No Worries, GoScanSSH Didn’t","org_id":"1","orgc_id":"2","published":true,"threat_level_id":"3","timestamp":"1523865236","uuid":"5acdb4d0-b534-4713-9612-4a1d950d210f"}}],"ShadowAttribute":[],"analysis":"0","attribute_count":"4","date":"2021-05-21","disable_correlation":false,"distribution":"1","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3632","info":"Test event 2 just more atrributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"2","timestamp":"1621588836","uuid":"efbca287-edb5-4ad7-b8e4-fe9da514a763"}} -{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Payload delivery","comment":"filename contect for test event 3","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3633","first_seen":null,"id":"266263","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1621589229","to_ids":false,"type":"filename","uuid":"3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3","value":"thetestfile.txt"},"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Other","comment":"","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3633","first_seen":null,"id":"266267","last_seen":null,"object_id":"18207","object_relation":"fullpath","sharing_group_id":"0","timestamp":"1621589548","to_ids":false,"type":"text","uuid":"ff97cc32-815e-4fc9-9d4b-cab9822027a6","value":"\\the\\fullpath\\to the file\\filenameofobject.txt"},"ObjectReference":[],"comment":"File object for event 3","deleted":false,"description":"File object describing a file with meta-information","distribution":"5","event_id":"3633","first_seen":null,"id":"18207","last_seen":null,"meta-category":"file","name":"file","sharing_group_id":"0","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"22","timestamp":"1621589548","uuid":"42a88ad4-6834-46a9-a18b-aff9e078a4ea"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[{"Event":{"Org":{"id":"1","name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"analysis":"0","date":"2021-05-21","distribution":"1","id":"3631","info":"Test event 1 just atrributes","org_id":"1","orgc_id":"1","published":false,"threat_level_id":"1","timestamp":"1621588162","uuid":"8ca56ae9-3747-4172-93d2-808da1a4eaf3"}}],"ShadowAttribute":[],"analysis":"0","attribute_count":"6","date":"2021-05-21","disable_correlation":false,"distribution":"1","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3633","info":"Test event 3 objects and attributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1621592532","uuid":"4edb20c7-8175-484d-bdcd-fce6872c1ef3"}} -{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Payload delivery","comment":"filename contect for test event 3","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3633","first_seen":null,"id":"266263","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1621589229","to_ids":false,"type":"filename","uuid":"3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3","value":"thetestfile.txt"},"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Other","comment":"","deleted":false,"disable_correlation":true,"distribution":"5","event_id":"3633","first_seen":null,"id":"266268","last_seen":null,"object_id":"18207","object_relation":"size-in-bytes","sharing_group_id":"0","timestamp":"1621589548","to_ids":false,"type":"size-in-bytes","uuid":"e378b4d9-43e1-4c64-bd4e-70fce2b4e581","value":"505050"},"ObjectReference":[],"comment":"File object for event 3","deleted":false,"description":"File object describing a file with meta-information","distribution":"5","event_id":"3633","first_seen":null,"id":"18207","last_seen":null,"meta-category":"file","name":"file","sharing_group_id":"0","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"22","timestamp":"1621589548","uuid":"42a88ad4-6834-46a9-a18b-aff9e078a4ea"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[{"Event":{"Org":{"id":"1","name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"analysis":"0","date":"2021-05-21","distribution":"1","id":"3631","info":"Test event 1 just atrributes","org_id":"1","orgc_id":"1","published":false,"threat_level_id":"1","timestamp":"1621588162","uuid":"8ca56ae9-3747-4172-93d2-808da1a4eaf3"}}],"ShadowAttribute":[],"analysis":"0","attribute_count":"6","date":"2021-05-21","disable_correlation":false,"distribution":"1","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3633","info":"Test event 3 objects and attributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1621592532","uuid":"4edb20c7-8175-484d-bdcd-fce6872c1ef3"}} -{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Payload delivery","comment":"filename contect for test event 3","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3633","first_seen":null,"id":"266263","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1621589229","to_ids":false,"type":"filename","uuid":"3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3","value":"thetestfile.txt"},"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Payload delivery","comment":"","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3633","first_seen":null,"id":"266264","last_seen":null,"object_id":"18207","object_relation":"md5","sharing_group_id":"0","timestamp":"1621589548","to_ids":true,"type":"md5","uuid":"787b3822-0bec-4278-b34a-5d649e7bce05","value":"70461da8b94c6ca5d2fda3260c5a8c3b"},"ObjectReference":[],"comment":"File object for event 3","deleted":false,"description":"File object describing a file with meta-information","distribution":"5","event_id":"3633","first_seen":null,"id":"18207","last_seen":null,"meta-category":"file","name":"file","sharing_group_id":"0","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"22","timestamp":"1621589548","uuid":"42a88ad4-6834-46a9-a18b-aff9e078a4ea"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[{"Event":{"Org":{"id":"1","name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"analysis":"0","date":"2021-05-21","distribution":"1","id":"3631","info":"Test event 1 just atrributes","org_id":"1","orgc_id":"1","published":false,"threat_level_id":"1","timestamp":"1621588162","uuid":"8ca56ae9-3747-4172-93d2-808da1a4eaf3"}}],"ShadowAttribute":[],"analysis":"0","attribute_count":"6","date":"2021-05-21","disable_correlation":false,"distribution":"1","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3633","info":"Test event 3 objects and attributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1621592532","uuid":"4edb20c7-8175-484d-bdcd-fce6872c1ef3"}} -{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Payload delivery","comment":"filename contect for test event 3","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3633","first_seen":null,"id":"266263","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1621589229","to_ids":false,"type":"filename","uuid":"3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3","value":"thetestfile.txt"},"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Payload delivery","comment":"","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3633","first_seen":null,"id":"266265","last_seen":null,"object_id":"18207","object_relation":"sha256","sharing_group_id":"0","timestamp":"1621589548","to_ids":true,"type":"sha256","uuid":"657c5f2b-9d68-4ff7-a9ad-ab9e6a6c953e","value":"f33c27745f2bd87344be790465ef984a972fd539dc83bd4f61d4242c607ef1ee"},"ObjectReference":[],"comment":"File object for event 3","deleted":false,"description":"File object describing a file with meta-information","distribution":"5","event_id":"3633","first_seen":null,"id":"18207","last_seen":null,"meta-category":"file","name":"file","sharing_group_id":"0","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"22","timestamp":"1621589548","uuid":"42a88ad4-6834-46a9-a18b-aff9e078a4ea"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[{"Event":{"Org":{"id":"1","name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"analysis":"0","date":"2021-05-21","distribution":"1","id":"3631","info":"Test event 1 just atrributes","org_id":"1","orgc_id":"1","published":false,"threat_level_id":"1","timestamp":"1621588162","uuid":"8ca56ae9-3747-4172-93d2-808da1a4eaf3"}}],"ShadowAttribute":[],"analysis":"0","attribute_count":"6","date":"2021-05-21","disable_correlation":false,"distribution":"1","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3633","info":"Test event 3 objects and attributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1621592532","uuid":"4edb20c7-8175-484d-bdcd-fce6872c1ef3"}} -{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Payload delivery","comment":"filename contect for test event 3","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3633","first_seen":null,"id":"266263","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1621589229","to_ids":false,"type":"filename","uuid":"3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3","value":"thetestfile.txt"},"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Payload delivery","comment":"","deleted":false,"disable_correlation":true,"distribution":"5","event_id":"3633","first_seen":null,"id":"266266","last_seen":null,"object_id":"18207","object_relation":"filename","sharing_group_id":"0","timestamp":"1621589548","to_ids":true,"type":"filename","uuid":"6648d129-9200-431b-9b41-263a84f7c9d2","value":"filenameofobject.txt"},"ObjectReference":[],"comment":"File object for event 3","deleted":false,"description":"File object describing a file with meta-information","distribution":"5","event_id":"3633","first_seen":null,"id":"18207","last_seen":null,"meta-category":"file","name":"file","sharing_group_id":"0","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"22","timestamp":"1621589548","uuid":"42a88ad4-6834-46a9-a18b-aff9e078a4ea"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[{"Event":{"Org":{"id":"1","name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"analysis":"0","date":"2021-05-21","distribution":"1","id":"3631","info":"Test event 1 just atrributes","org_id":"1","orgc_id":"1","published":false,"threat_level_id":"1","timestamp":"1621588162","uuid":"8ca56ae9-3747-4172-93d2-808da1a4eaf3"}}],"ShadowAttribute":[],"analysis":"0","attribute_count":"6","date":"2021-05-21","disable_correlation":false,"distribution":"1","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3633","info":"Test event 3 objects and attributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1621592532","uuid":"4edb20c7-8175-484d-bdcd-fce6872c1ef3"}} -{"Event":{"Attribute":[],"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Other","comment":"","deleted":false,"disable_correlation":true,"distribution":"5","event_id":"3634","first_seen":null,"id":"266269","last_seen":null,"object_id":"18208","object_relation":"text","sharing_group_id":"0","timestamp":"1621591770","to_ids":false,"type":"text","uuid":"25d2f181-26ae-4d6f-b4fd-85b9d1f82e67","value":"Free text in the file object"},"ObjectReference":[],"comment":"File object for test event 4 ","deleted":false,"description":"File object describing a file with meta-information","distribution":"5","event_id":"3634","first_seen":null,"id":"18208","last_seen":null,"meta-category":"file","name":"file","sharing_group_id":"0","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"22","timestamp":"1621591770","uuid":"190c762c-a389-4ecc-8f6e-68f92d42adef"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[],"ShadowAttribute":[],"analysis":"0","attribute_count":"3","date":"2021-05-21","disable_correlation":false,"distribution":"1","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3634","info":"Test event 4 with object","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"3","timestamp":"1621591770","uuid":"d98a8418-9f90-4b50-a623-6921ca5b356d"}} -{"Event":{"Attribute":[],"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Payload delivery","comment":"","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3634","first_seen":null,"id":"266270","last_seen":null,"object_id":"18208","object_relation":"sha256","sharing_group_id":"0","timestamp":"1621591770","to_ids":true,"type":"sha256","uuid":"4e579782-346b-44b3-b72c-1cae8d87cb25","value":"567caa7653723f8818ec9eb6f2e27f6d9d8c0aca0c96fc457659340e7bbdc666"},"ObjectReference":[],"comment":"File object for test event 4 ","deleted":false,"description":"File object describing a file with meta-information","distribution":"5","event_id":"3634","first_seen":null,"id":"18208","last_seen":null,"meta-category":"file","name":"file","sharing_group_id":"0","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"22","timestamp":"1621591770","uuid":"190c762c-a389-4ecc-8f6e-68f92d42adef"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[],"ShadowAttribute":[],"analysis":"0","attribute_count":"3","date":"2021-05-21","disable_correlation":false,"distribution":"1","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3634","info":"Test event 4 with object","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"3","timestamp":"1621591770","uuid":"d98a8418-9f90-4b50-a623-6921ca5b356d"}} -{"Event":{"Attribute":[],"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Payload delivery","comment":"","deleted":false,"disable_correlation":true,"distribution":"5","event_id":"3634","first_seen":null,"id":"266271","last_seen":null,"object_id":"18208","object_relation":"filename","sharing_group_id":"0","timestamp":"1621591770","to_ids":true,"type":"filename","uuid":"a40343b5-a480-4288-9b0c-7ae074a77140","value":"filenameinmispobject.txt"},"ObjectReference":[],"comment":"File object for test event 4 ","deleted":false,"description":"File object describing a file with meta-information","distribution":"5","event_id":"3634","first_seen":null,"id":"18208","last_seen":null,"meta-category":"file","name":"file","sharing_group_id":"0","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"22","timestamp":"1621591770","uuid":"190c762c-a389-4ecc-8f6e-68f92d42adef"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[],"ShadowAttribute":[],"analysis":"0","attribute_count":"3","date":"2021-05-21","disable_correlation":false,"distribution":"1","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3634","info":"Test event 4 with object","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"3","timestamp":"1621591770","uuid":"d98a8418-9f90-4b50-a623-6921ca5b356d"}} -{"Event":{"Attribute":[],"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Other","comment":"","deleted":false,"disable_correlation":true,"distribution":"5","event_id":"3635","first_seen":null,"id":"266272","last_seen":null,"object_id":"18209","object_relation":"text","sharing_group_id":"0","timestamp":"1621592379","to_ids":false,"type":"text","uuid":"188a6a15-5704-4e4f-acba-22c55ab08fe8","value":"Object 5 free text attribute in object"},"ObjectReference":[],"comment":"event 5 object comment","deleted":false,"description":"File object describing a file with meta-information","distribution":"5","event_id":"3635","first_seen":null,"id":"18209","last_seen":null,"meta-category":"file","name":"file","sharing_group_id":"0","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"22","timestamp":"1621592379","uuid":"a62cb6fb-fa1c-45ce-abb8-b46da23631d5"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[],"ShadowAttribute":[],"analysis":"0","attribute_count":"5","date":"2021-05-21","disable_correlation":false,"distribution":"1","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3635","info":"Test event 5 with an object","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1621592379","uuid":"8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e"}} -{"Event":{"Attribute":[],"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Other","comment":"","deleted":false,"disable_correlation":true,"distribution":"5","event_id":"3635","first_seen":null,"id":"266275","last_seen":null,"object_id":"18209","object_relation":"entropy","sharing_group_id":"0","timestamp":"1621592379","to_ids":false,"type":"float","uuid":"2400b103-4a33-4f92-ac04-a558b6c6e252","value":"0.53535445"},"ObjectReference":[],"comment":"event 5 object comment","deleted":false,"description":"File object describing a file with meta-information","distribution":"5","event_id":"3635","first_seen":null,"id":"18209","last_seen":null,"meta-category":"file","name":"file","sharing_group_id":"0","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"22","timestamp":"1621592379","uuid":"a62cb6fb-fa1c-45ce-abb8-b46da23631d5"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[],"ShadowAttribute":[],"analysis":"0","attribute_count":"5","date":"2021-05-21","disable_correlation":false,"distribution":"1","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3635","info":"Test event 5 with an object","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1621592379","uuid":"8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e"}} -{"Event":{"Attribute":[],"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Other","comment":"","deleted":false,"disable_correlation":true,"distribution":"5","event_id":"3635","first_seen":null,"id":"266276","last_seen":null,"object_id":"18209","object_relation":"size-in-bytes","sharing_group_id":"0","timestamp":"1621592379","to_ids":false,"type":"size-in-bytes","uuid":"e5ea3ec0-cdf4-4d3e-bd66-a7bf384fd3d7","value":"55555"},"ObjectReference":[],"comment":"event 5 object comment","deleted":false,"description":"File object describing a file with meta-information","distribution":"5","event_id":"3635","first_seen":null,"id":"18209","last_seen":null,"meta-category":"file","name":"file","sharing_group_id":"0","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"22","timestamp":"1621592379","uuid":"a62cb6fb-fa1c-45ce-abb8-b46da23631d5"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[],"ShadowAttribute":[],"analysis":"0","attribute_count":"5","date":"2021-05-21","disable_correlation":false,"distribution":"1","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3635","info":"Test event 5 with an object","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1621592379","uuid":"8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e"}} -{"Event":{"Attribute":[],"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Payload delivery","comment":"","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3635","first_seen":null,"id":"266273","last_seen":null,"object_id":"18209","object_relation":"sha256","sharing_group_id":"0","timestamp":"1621592379","to_ids":true,"type":"sha256","uuid":"803f10bd-9087-4169-8699-277579a92693","value":"567caa7653723f8818ec9eb6f2e27f6d9d8c0aca0c96fc457659340e7bbdc665"},"ObjectReference":[],"comment":"event 5 object comment","deleted":false,"description":"File object describing a file with meta-information","distribution":"5","event_id":"3635","first_seen":null,"id":"18209","last_seen":null,"meta-category":"file","name":"file","sharing_group_id":"0","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"22","timestamp":"1621592379","uuid":"a62cb6fb-fa1c-45ce-abb8-b46da23631d5"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[],"ShadowAttribute":[],"analysis":"0","attribute_count":"5","date":"2021-05-21","disable_correlation":false,"distribution":"1","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3635","info":"Test event 5 with an object","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1621592379","uuid":"8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e"}} -{"Event":{"Attribute":[],"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Payload delivery","comment":"","deleted":false,"disable_correlation":true,"distribution":"5","event_id":"3635","first_seen":null,"id":"266274","last_seen":null,"object_id":"18209","object_relation":"filename","sharing_group_id":"0","timestamp":"1621592379","to_ids":true,"type":"filename","uuid":"e5c7a9f0-c0e1-4024-9ab8-de8a1b403e4f","value":"object5.txt"},"ObjectReference":[],"comment":"event 5 object comment","deleted":false,"description":"File object describing a file with meta-information","distribution":"5","event_id":"3635","first_seen":null,"id":"18209","last_seen":null,"meta-category":"file","name":"file","sharing_group_id":"0","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"22","timestamp":"1621592379","uuid":"a62cb6fb-fa1c-45ce-abb8-b46da23631d5"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[],"ShadowAttribute":[],"analysis":"0","attribute_count":"5","date":"2021-05-21","disable_correlation":false,"distribution":"1","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3635","info":"Test event 5 with an object","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1621592379","uuid":"8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e"}} -{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Artifacts dropped","comment":"","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3636","first_seen":null,"id":"266277","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1622200249","to_ids":false,"type":"windows-service-name","uuid":"3bd56a61-77f0-4885-8d1c-8bd2e39b65fb","value":"badmojopipe"},"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Other","comment":"","deleted":false,"disable_correlation":true,"distribution":"5","event_id":"3636","first_seen":null,"id":"266278","last_seen":null,"object_id":"18210","object_relation":"text","sharing_group_id":"0","timestamp":"1622200348","to_ids":false,"type":"text","uuid":"955e34a5-a630-42c9-868d-6e3dcb575987","value":"Excutable create bad pipe"},"ObjectReference":[],"comment":"","deleted":false,"description":"File object describing a file with meta-information","distribution":"5","event_id":"3636","first_seen":null,"id":"18210","last_seen":null,"meta-category":"file","name":"file","sharing_group_id":"0","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"22","timestamp":"1622200348","uuid":"afe43d99-d8b6-47fa-8e7b-3d3ece2f8366"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[],"ShadowAttribute":[],"analysis":"0","attribute_count":"9","date":"2021-05-28","disable_correlation":false,"distribution":"0","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3636","info":"Test event 6 with multiple objects and multiple attributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1622200781","uuid":"81aea1d1-bb23-4bcd-9b0c-496e9ce028df"}} -{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Artifacts dropped","comment":"","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3636","first_seen":null,"id":"266277","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1622200249","to_ids":false,"type":"windows-service-name","uuid":"3bd56a61-77f0-4885-8d1c-8bd2e39b65fb","value":"badmojopipe"},"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Other","comment":"","deleted":false,"disable_correlation":true,"distribution":"5","event_id":"3636","first_seen":null,"id":"266281","last_seen":null,"object_id":"18211","object_relation":"size-in-bytes","sharing_group_id":"0","timestamp":"1622200780","to_ids":false,"type":"size-in-bytes","uuid":"2fa7721b-ad73-4914-b082-8d44233ced98","value":"3892"},"ObjectReference":[],"comment":"","deleted":false,"description":"Object describing a section of a Portable Executable","distribution":"5","event_id":"3636","first_seen":null,"id":"18211","last_seen":null,"meta-category":"file","name":"pe-section","sharing_group_id":"0","template_uuid":"198a17d2-a135-4b25-9a32-5aa4e632014a","template_version":"3","timestamp":"1622200780","uuid":"023be568-34d6-4df4-ae88-f4de0dbfcd9d"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[],"ShadowAttribute":[],"analysis":"0","attribute_count":"9","date":"2021-05-28","disable_correlation":false,"distribution":"0","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3636","info":"Test event 6 with multiple objects and multiple attributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1622200781","uuid":"81aea1d1-bb23-4bcd-9b0c-496e9ce028df"}} -{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Artifacts dropped","comment":"","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3636","first_seen":null,"id":"266277","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1622200249","to_ids":false,"type":"windows-service-name","uuid":"3bd56a61-77f0-4885-8d1c-8bd2e39b65fb","value":"badmojopipe"},"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Other","comment":"","deleted":false,"disable_correlation":true,"distribution":"5","event_id":"3636","first_seen":null,"id":"266283","last_seen":null,"object_id":"18211","object_relation":"name","sharing_group_id":"0","timestamp":"1622200780","to_ids":false,"type":"text","uuid":"d35c1ff8-a69c-482b-8fb0-1182988d9468","value":".data"},"ObjectReference":[],"comment":"","deleted":false,"description":"Object describing a section of a Portable Executable","distribution":"5","event_id":"3636","first_seen":null,"id":"18211","last_seen":null,"meta-category":"file","name":"pe-section","sharing_group_id":"0","template_uuid":"198a17d2-a135-4b25-9a32-5aa4e632014a","template_version":"3","timestamp":"1622200780","uuid":"023be568-34d6-4df4-ae88-f4de0dbfcd9d"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[],"ShadowAttribute":[],"analysis":"0","attribute_count":"9","date":"2021-05-28","disable_correlation":false,"distribution":"0","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3636","info":"Test event 6 with multiple objects and multiple attributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1622200781","uuid":"81aea1d1-bb23-4bcd-9b0c-496e9ce028df"}} -{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Artifacts dropped","comment":"","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3636","first_seen":null,"id":"266277","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1622200249","to_ids":false,"type":"windows-service-name","uuid":"3bd56a61-77f0-4885-8d1c-8bd2e39b65fb","value":"badmojopipe"},"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Other","comment":"","deleted":false,"disable_correlation":true,"distribution":"5","event_id":"3636","first_seen":null,"id":"266284","last_seen":null,"object_id":"18211","object_relation":"text","sharing_group_id":"0","timestamp":"1622200780","to_ids":false,"type":"text","uuid":"dc11971a-a676-4676-b24c-a45a8791e0b0","value":"Extracted zip archive data"},"ObjectReference":[],"comment":"","deleted":false,"description":"Object describing a section of a Portable Executable","distribution":"5","event_id":"3636","first_seen":null,"id":"18211","last_seen":null,"meta-category":"file","name":"pe-section","sharing_group_id":"0","template_uuid":"198a17d2-a135-4b25-9a32-5aa4e632014a","template_version":"3","timestamp":"1622200780","uuid":"023be568-34d6-4df4-ae88-f4de0dbfcd9d"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[],"ShadowAttribute":[],"analysis":"0","attribute_count":"9","date":"2021-05-28","disable_correlation":false,"distribution":"0","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3636","info":"Test event 6 with multiple objects and multiple attributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1622200781","uuid":"81aea1d1-bb23-4bcd-9b0c-496e9ce028df"}} -{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Artifacts dropped","comment":"","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3636","first_seen":null,"id":"266277","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1622200249","to_ids":false,"type":"windows-service-name","uuid":"3bd56a61-77f0-4885-8d1c-8bd2e39b65fb","value":"badmojopipe"},"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Other","comment":"","deleted":false,"disable_correlation":true,"distribution":"5","event_id":"3636","first_seen":null,"id":"266285","last_seen":null,"object_id":"18211","object_relation":"entropy","sharing_group_id":"0","timestamp":"1622200780","to_ids":false,"type":"float","uuid":"a85c0cbb-25a8-4bc9-b146-3cba1020e5bb","value":"7.93280431051"},"ObjectReference":[],"comment":"","deleted":false,"description":"Object describing a section of a Portable Executable","distribution":"5","event_id":"3636","first_seen":null,"id":"18211","last_seen":null,"meta-category":"file","name":"pe-section","sharing_group_id":"0","template_uuid":"198a17d2-a135-4b25-9a32-5aa4e632014a","template_version":"3","timestamp":"1622200780","uuid":"023be568-34d6-4df4-ae88-f4de0dbfcd9d"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[],"ShadowAttribute":[],"analysis":"0","attribute_count":"9","date":"2021-05-28","disable_correlation":false,"distribution":"0","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3636","info":"Test event 6 with multiple objects and multiple attributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1622200781","uuid":"81aea1d1-bb23-4bcd-9b0c-496e9ce028df"}} -{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Artifacts dropped","comment":"","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3636","first_seen":null,"id":"266277","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1622200249","to_ids":false,"type":"windows-service-name","uuid":"3bd56a61-77f0-4885-8d1c-8bd2e39b65fb","value":"badmojopipe"},"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Payload delivery","comment":"","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3636","first_seen":null,"id":"266279","last_seen":null,"object_id":"18210","object_relation":"md5","sharing_group_id":"0","timestamp":"1622200348","to_ids":true,"type":"md5","uuid":"1c97c043-5de2-41a1-b591-3237174cd290","value":"7392463caf95534d56460bc9f360adc1"},"ObjectReference":[],"comment":"","deleted":false,"description":"File object describing a file with meta-information","distribution":"5","event_id":"3636","first_seen":null,"id":"18210","last_seen":null,"meta-category":"file","name":"file","sharing_group_id":"0","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"22","timestamp":"1622200348","uuid":"afe43d99-d8b6-47fa-8e7b-3d3ece2f8366"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[],"ShadowAttribute":[],"analysis":"0","attribute_count":"9","date":"2021-05-28","disable_correlation":false,"distribution":"0","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3636","info":"Test event 6 with multiple objects and multiple attributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1622200781","uuid":"81aea1d1-bb23-4bcd-9b0c-496e9ce028df"}} -{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Artifacts dropped","comment":"","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3636","first_seen":null,"id":"266277","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1622200249","to_ids":false,"type":"windows-service-name","uuid":"3bd56a61-77f0-4885-8d1c-8bd2e39b65fb","value":"badmojopipe"},"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Payload delivery","comment":"","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3636","first_seen":null,"id":"266282","last_seen":null,"object_id":"18211","object_relation":"md5","sharing_group_id":"0","timestamp":"1622200780","to_ids":true,"type":"md5","uuid":"f3b8696e-5390-4383-ace2-6e06bfae497d","value":"7295463caf95534d56460bc9f360adc1"},"ObjectReference":[],"comment":"","deleted":false,"description":"Object describing a section of a Portable Executable","distribution":"5","event_id":"3636","first_seen":null,"id":"18211","last_seen":null,"meta-category":"file","name":"pe-section","sharing_group_id":"0","template_uuid":"198a17d2-a135-4b25-9a32-5aa4e632014a","template_version":"3","timestamp":"1622200780","uuid":"023be568-34d6-4df4-ae88-f4de0dbfcd9d"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[],"ShadowAttribute":[],"analysis":"0","attribute_count":"9","date":"2021-05-28","disable_correlation":false,"distribution":"0","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3636","info":"Test event 6 with multiple objects and multiple attributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1622200781","uuid":"81aea1d1-bb23-4bcd-9b0c-496e9ce028df"}} -{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Artifacts dropped","comment":"","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3636","first_seen":null,"id":"266277","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1622200249","to_ids":false,"type":"windows-service-name","uuid":"3bd56a61-77f0-4885-8d1c-8bd2e39b65fb","value":"badmojopipe"},"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Payload delivery","comment":"","deleted":false,"disable_correlation":true,"distribution":"5","event_id":"3636","first_seen":null,"id":"266280","last_seen":null,"object_id":"18210","object_relation":"filename","sharing_group_id":"0","timestamp":"1622200348","to_ids":true,"type":"filename","uuid":"2dfcb937-e6af-4b5d-ad50-f8eb975990f3","value":"badmojopipe.exe"},"ObjectReference":[],"comment":"","deleted":false,"description":"File object describing a file with meta-information","distribution":"5","event_id":"3636","first_seen":null,"id":"18210","last_seen":null,"meta-category":"file","name":"file","sharing_group_id":"0","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"22","timestamp":"1622200348","uuid":"afe43d99-d8b6-47fa-8e7b-3d3ece2f8366"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[],"ShadowAttribute":[],"analysis":"0","attribute_count":"9","date":"2021-05-28","disable_correlation":false,"distribution":"0","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3636","info":"Test event 6 with multiple objects and multiple attributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1622200781","uuid":"81aea1d1-bb23-4bcd-9b0c-496e9ce028df"}} diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-attributes-ndjson.log-config.yml b/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-attributes-ndjson.log-config.yml deleted file mode 100644 index 4da2264165..0000000000 --- a/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-attributes-ndjson.log-config.yml +++ /dev/null @@ -1,3 +0,0 @@ -fields: - tags: - - preserve_original_event diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-attributes-ndjson.log-expected.json b/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-attributes-ndjson.log-expected.json deleted file mode 100644 index ff85a3edc6..0000000000 --- a/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-attributes-ndjson.log-expected.json +++ /dev/null @@ -1,2607 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2021-05-21T09:09:22.000Z", - "ecs": { - "version": "8.9.0" - }, - "event": { - "category": [ - "threat" - ], - "kind": "enrichment", - "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Payload installation\",\"comment\":\"Contextual comment for the file md5 attribute\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3631\",\"first_seen\":null,\"id\":\"266258\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1621588162\",\"to_ids\":false,\"type\":\"md5\",\"uuid\":\"34c59b06-d35d-4808-919c-4b452f185c52\",\"value\":\"70461da8b94c6ca5d2fda3260c5a8c3b\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":[],\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[{\"Event\":{\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"analysis\":\"0\",\"date\":\"2021-05-21\",\"distribution\":\"1\",\"id\":\"3633\",\"info\":\"Test event 3 objects and attributes\",\"org_id\":\"1\",\"orgc_id\":\"1\",\"published\":false,\"threat_level_id\":\"1\",\"timestamp\":\"1621592532\",\"uuid\":\"4edb20c7-8175-484d-bdcd-fce6872c1ef3\"}}],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"1\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3631\",\"info\":\"Test event 1 just atrributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1621588162\",\"uuid\":\"8ca56ae9-3747-4172-93d2-808da1a4eaf3\"}}", - "type": [ - "indicator" - ] - }, - "misp": { - "attribute": { - "category": "Payload installation", - "comment": "Contextual comment for the file md5 attribute", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "3631", - "id": "266258", - "object_id": "0", - "sharing_group_id": "0", - "timestamp": "2021-05-21T09:09:22.000Z", - "to_ids": false, - "type": "md5", - "uuid": "34c59b06-d35d-4808-919c-4b452f185c52" - }, - "event": { - "attribute_count": 1, - "date": "2021-05-21", - "disable_correlation": false, - "distribution": 1, - "extends_uuid": "", - "id": "3631", - "info": "Test event 1 just atrributes", - "locked": false, - "org_id": "1", - "orgc_id": "1", - "proposal_email_lock": false, - "publish_timestamp": "1970-01-01T00:00:00.000Z", - "published": false, - "sharing_group_id": "0", - "threat_level_id": 1, - "uuid": "8ca56ae9-3747-4172-93d2-808da1a4eaf3" - }, - "orgc": { - "id": "1", - "local": true, - "name": "ORGNAME", - "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" - } - }, - "tags": [ - "preserve_original_event" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "file": { - "hash": { - "md5": "70461da8b94c6ca5d2fda3260c5a8c3b" - } - }, - "provider": "misp", - "scanner_stats": 0, - "type": "file" - } - }, - "user": { - "email": "admin@admin.test", - "roles": [ - "reporting_user" - ] - } - }, - { - "@timestamp": "2021-05-21T09:20:36.000Z", - "ecs": { - "version": "8.9.0" - }, - "event": { - "category": [ - "threat" - ], - "kind": "enrichment", - "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Artifacts dropped\",\"comment\":\"Artefact dropped for test 2\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3632\",\"first_seen\":null,\"id\":\"266259\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1621588675\",\"to_ids\":true,\"type\":\"md5\",\"uuid\":\"73102a1c-7432-47b7-9644-6f9d46b6887c\",\"value\":\"60461da8b94c6ca5d2fda3260c5a8c3b\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":[],\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[{\"Event\":{\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"2\",\"name\":\"CIRCL\",\"uuid\":\"55f6ea5e-2c60-40e5-964f-47a8950d210f\"},\"analysis\":\"2\",\"date\":\"2018-03-26\",\"distribution\":\"3\",\"id\":\"684\",\"info\":\"OSINT - Forgot About Default Accounts? No Worries, GoScanSSH Didn’t\",\"org_id\":\"1\",\"orgc_id\":\"2\",\"published\":true,\"threat_level_id\":\"3\",\"timestamp\":\"1523865236\",\"uuid\":\"5acdb4d0-b534-4713-9612-4a1d950d210f\"}}],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"4\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3632\",\"info\":\"Test event 2 just more atrributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"2\",\"timestamp\":\"1621588836\",\"uuid\":\"efbca287-edb5-4ad7-b8e4-fe9da514a763\"}}", - "type": [ - "indicator" - ] - }, - "misp": { - "attribute": { - "category": "Artifacts dropped", - "comment": "Artefact dropped for test 2", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "3632", - "id": "266259", - "object_id": "0", - "sharing_group_id": "0", - "timestamp": "2021-05-21T09:17:55.000Z", - "to_ids": true, - "type": "md5", - "uuid": "73102a1c-7432-47b7-9644-6f9d46b6887c" - }, - "event": { - "attribute_count": 4, - "date": "2021-05-21", - "disable_correlation": false, - "distribution": 1, - "extends_uuid": "", - "id": "3632", - "info": "Test event 2 just more atrributes", - "locked": false, - "org_id": "1", - "orgc_id": "1", - "proposal_email_lock": false, - "publish_timestamp": "1970-01-01T00:00:00.000Z", - "published": false, - "sharing_group_id": "0", - "threat_level_id": 2, - "uuid": "efbca287-edb5-4ad7-b8e4-fe9da514a763" - }, - "orgc": { - "id": "1", - "local": true, - "name": "ORGNAME", - "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" - } - }, - "tags": [ - "preserve_original_event" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "file": { - "hash": { - "md5": "60461da8b94c6ca5d2fda3260c5a8c3b" - } - }, - "provider": "misp", - "scanner_stats": 0, - "type": "file" - } - }, - "user": { - "email": "admin@admin.test", - "roles": [ - "reporting_user" - ] - } - }, - { - "@timestamp": "2021-05-21T09:20:36.000Z", - "ecs": { - "version": "8.9.0" - }, - "event": { - "category": [ - "threat" - ], - "kind": "enrichment", - "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Network activity\",\"comment\":\"Conext for domain type attribute event 2\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3632\",\"first_seen\":null,\"id\":\"266260\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1621588744\",\"to_ids\":true,\"type\":\"domain\",\"uuid\":\"a52a1b47-a580-4f33-96ba-939cf9146c9b\",\"value\":\"baddom.madeup.local\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":[],\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[{\"Event\":{\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"2\",\"name\":\"CIRCL\",\"uuid\":\"55f6ea5e-2c60-40e5-964f-47a8950d210f\"},\"analysis\":\"2\",\"date\":\"2018-03-26\",\"distribution\":\"3\",\"id\":\"684\",\"info\":\"OSINT - Forgot About Default Accounts? No Worries, GoScanSSH Didn’t\",\"org_id\":\"1\",\"orgc_id\":\"2\",\"published\":true,\"threat_level_id\":\"3\",\"timestamp\":\"1523865236\",\"uuid\":\"5acdb4d0-b534-4713-9612-4a1d950d210f\"}}],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"4\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3632\",\"info\":\"Test event 2 just more atrributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"2\",\"timestamp\":\"1621588836\",\"uuid\":\"efbca287-edb5-4ad7-b8e4-fe9da514a763\"}}", - "type": [ - "indicator" - ] - }, - "misp": { - "attribute": { - "category": "Network activity", - "comment": "Conext for domain type attribute event 2", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "3632", - "id": "266260", - "object_id": "0", - "sharing_group_id": "0", - "timestamp": "2021-05-21T09:19:04.000Z", - "to_ids": true, - "type": "domain", - "uuid": "a52a1b47-a580-4f33-96ba-939cf9146c9b" - }, - "event": { - "attribute_count": 4, - "date": "2021-05-21", - "disable_correlation": false, - "distribution": 1, - "extends_uuid": "", - "id": "3632", - "info": "Test event 2 just more atrributes", - "locked": false, - "org_id": "1", - "orgc_id": "1", - "proposal_email_lock": false, - "publish_timestamp": "1970-01-01T00:00:00.000Z", - "published": false, - "sharing_group_id": "0", - "threat_level_id": 2, - "uuid": "efbca287-edb5-4ad7-b8e4-fe9da514a763" - }, - "orgc": { - "id": "1", - "local": true, - "name": "ORGNAME", - "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" - } - }, - "tags": [ - "preserve_original_event" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "provider": "misp", - "scanner_stats": 0, - "type": "domain-name", - "url": { - "domain": "baddom.madeup.local" - } - } - }, - "user": { - "email": "admin@admin.test", - "roles": [ - "reporting_user" - ] - } - }, - { - "@timestamp": "2021-05-21T09:20:36.000Z", - "ecs": { - "version": "8.9.0" - }, - "event": { - "category": [ - "threat" - ], - "kind": "enrichment", - "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Network activity\",\"comment\":\"Ip-src attribute context for event2\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3632\",\"first_seen\":null,\"id\":\"266261\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1621588800\",\"to_ids\":false,\"type\":\"ip-src\",\"uuid\":\"3dbf224b-7c84-4c4b-9f95-80f28954bd10\",\"value\":\"10.0.0.1\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":[],\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[{\"Event\":{\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"2\",\"name\":\"CIRCL\",\"uuid\":\"55f6ea5e-2c60-40e5-964f-47a8950d210f\"},\"analysis\":\"2\",\"date\":\"2018-03-26\",\"distribution\":\"3\",\"id\":\"684\",\"info\":\"OSINT - Forgot About Default Accounts? No Worries, GoScanSSH Didn’t\",\"org_id\":\"1\",\"orgc_id\":\"2\",\"published\":true,\"threat_level_id\":\"3\",\"timestamp\":\"1523865236\",\"uuid\":\"5acdb4d0-b534-4713-9612-4a1d950d210f\"}}],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"4\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3632\",\"info\":\"Test event 2 just more atrributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"2\",\"timestamp\":\"1621588836\",\"uuid\":\"efbca287-edb5-4ad7-b8e4-fe9da514a763\"}}", - "type": [ - "indicator" - ] - }, - "misp": { - "attribute": { - "category": "Network activity", - "comment": "Ip-src attribute context for event2", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "3632", - "id": "266261", - "object_id": "0", - "sharing_group_id": "0", - "timestamp": "2021-05-21T09:20:00.000Z", - "to_ids": false, - "type": "ip-src", - "uuid": "3dbf224b-7c84-4c4b-9f95-80f28954bd10" - }, - "event": { - "attribute_count": 4, - "date": "2021-05-21", - "disable_correlation": false, - "distribution": 1, - "extends_uuid": "", - "id": "3632", - "info": "Test event 2 just more atrributes", - "locked": false, - "org_id": "1", - "orgc_id": "1", - "proposal_email_lock": false, - "publish_timestamp": "1970-01-01T00:00:00.000Z", - "published": false, - "sharing_group_id": "0", - "threat_level_id": 2, - "uuid": "efbca287-edb5-4ad7-b8e4-fe9da514a763" - }, - "orgc": { - "id": "1", - "local": true, - "name": "ORGNAME", - "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" - } - }, - "tags": [ - "preserve_original_event" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "ip": "10.0.0.1", - "provider": "misp", - "scanner_stats": 0, - "type": "ipv4-addr" - } - }, - "user": { - "email": "admin@admin.test", - "roles": [ - "reporting_user" - ] - } - }, - { - "@timestamp": "2021-05-21T09:20:36.000Z", - "ecs": { - "version": "8.9.0" - }, - "event": { - "category": [ - "threat" - ], - "kind": "enrichment", - "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Network activity\",\"comment\":\"ip-dst context for event id 2\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3632\",\"first_seen\":null,\"id\":\"266262\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1621588836\",\"to_ids\":true,\"type\":\"ip-dst\",\"uuid\":\"db4bfd36-7374-4f8c-9031-60e56d4bba30\",\"value\":\"192.168.1.50\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":[],\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[{\"Event\":{\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"2\",\"name\":\"CIRCL\",\"uuid\":\"55f6ea5e-2c60-40e5-964f-47a8950d210f\"},\"analysis\":\"2\",\"date\":\"2018-03-26\",\"distribution\":\"3\",\"id\":\"684\",\"info\":\"OSINT - Forgot About Default Accounts? No Worries, GoScanSSH Didn’t\",\"org_id\":\"1\",\"orgc_id\":\"2\",\"published\":true,\"threat_level_id\":\"3\",\"timestamp\":\"1523865236\",\"uuid\":\"5acdb4d0-b534-4713-9612-4a1d950d210f\"}}],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"4\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3632\",\"info\":\"Test event 2 just more atrributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"2\",\"timestamp\":\"1621588836\",\"uuid\":\"efbca287-edb5-4ad7-b8e4-fe9da514a763\"}}", - "type": [ - "indicator" - ] - }, - "misp": { - "attribute": { - "category": "Network activity", - "comment": "ip-dst context for event id 2", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "3632", - "id": "266262", - "object_id": "0", - "sharing_group_id": "0", - "timestamp": "2021-05-21T09:20:36.000Z", - "to_ids": true, - "type": "ip-dst", - "uuid": "db4bfd36-7374-4f8c-9031-60e56d4bba30" - }, - "event": { - "attribute_count": 4, - "date": "2021-05-21", - "disable_correlation": false, - "distribution": 1, - "extends_uuid": "", - "id": "3632", - "info": "Test event 2 just more atrributes", - "locked": false, - "org_id": "1", - "orgc_id": "1", - "proposal_email_lock": false, - "publish_timestamp": "1970-01-01T00:00:00.000Z", - "published": false, - "sharing_group_id": "0", - "threat_level_id": 2, - "uuid": "efbca287-edb5-4ad7-b8e4-fe9da514a763" - }, - "orgc": { - "id": "1", - "local": true, - "name": "ORGNAME", - "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" - } - }, - "tags": [ - "preserve_original_event" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "ip": "192.168.1.50", - "provider": "misp", - "scanner_stats": 0, - "type": "ipv4-addr" - } - }, - "user": { - "email": "admin@admin.test", - "roles": [ - "reporting_user" - ] - } - }, - { - "@timestamp": "2021-05-21T10:22:12.000Z", - "ecs": { - "version": "8.9.0" - }, - "event": { - "category": [ - "threat" - ], - "kind": "enrichment", - "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Payload delivery\",\"comment\":\"filename contect for test event 3\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3633\",\"first_seen\":null,\"id\":\"266263\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1621589229\",\"to_ids\":false,\"type\":\"filename\",\"uuid\":\"3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3\",\"value\":\"thetestfile.txt\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Other\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3633\",\"first_seen\":null,\"id\":\"266267\",\"last_seen\":null,\"object_id\":\"18207\",\"object_relation\":\"fullpath\",\"sharing_group_id\":\"0\",\"timestamp\":\"1621589548\",\"to_ids\":false,\"type\":\"text\",\"uuid\":\"ff97cc32-815e-4fc9-9d4b-cab9822027a6\",\"value\":\"\\\\the\\\\fullpath\\\\to the file\\\\filenameofobject.txt\"},\"ObjectReference\":[],\"comment\":\"File object for event 3\",\"deleted\":false,\"description\":\"File object describing a file with meta-information\",\"distribution\":\"5\",\"event_id\":\"3633\",\"first_seen\":null,\"id\":\"18207\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"file\",\"sharing_group_id\":\"0\",\"template_uuid\":\"688c46fb-5edb-40a3-8273-1af7923e2215\",\"template_version\":\"22\",\"timestamp\":\"1621589548\",\"uuid\":\"42a88ad4-6834-46a9-a18b-aff9e078a4ea\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[{\"Event\":{\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"analysis\":\"0\",\"date\":\"2021-05-21\",\"distribution\":\"1\",\"id\":\"3631\",\"info\":\"Test event 1 just atrributes\",\"org_id\":\"1\",\"orgc_id\":\"1\",\"published\":false,\"threat_level_id\":\"1\",\"timestamp\":\"1621588162\",\"uuid\":\"8ca56ae9-3747-4172-93d2-808da1a4eaf3\"}}],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"6\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3633\",\"info\":\"Test event 3 objects and attributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1621592532\",\"uuid\":\"4edb20c7-8175-484d-bdcd-fce6872c1ef3\"}}", - "type": [ - "indicator" - ] - }, - "misp": { - "attribute": { - "category": "Other", - "comment": "", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "3633", - "id": "266267", - "object_id": "18207", - "object_relation": "fullpath", - "sharing_group_id": "0", - "timestamp": "2021-05-21T09:32:28.000Z", - "to_ids": false, - "type": "text", - "uuid": "ff97cc32-815e-4fc9-9d4b-cab9822027a6", - "value": "\\the\\fullpath\\to the file\\filenameofobject.txt" - }, - "context": { - "attribute": { - "category": "Payload delivery", - "comment": "filename contect for test event 3", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "3633", - "id": "266263", - "object_id": "0", - "sharing_group_id": "0", - "timestamp": "2021-05-21T09:27:09.000Z", - "to_ids": false, - "type": "filename", - "uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3", - "value": "thetestfile.txt" - } - }, - "event": { - "attribute_count": 6, - "date": "2021-05-21", - "disable_correlation": false, - "distribution": 1, - "extends_uuid": "", - "id": "3633", - "info": "Test event 3 objects and attributes", - "locked": false, - "org_id": "1", - "orgc_id": "1", - "proposal_email_lock": false, - "publish_timestamp": "1970-01-01T00:00:00.000Z", - "published": false, - "sharing_group_id": "0", - "threat_level_id": 1, - "uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3" - }, - "object": { - "comment": "File object for event 3", - "deleted": false, - "description": "File object describing a file with meta-information", - "distribution": 5, - "event_id": "3633", - "id": "18207", - "meta_category": "file", - "name": "file", - "sharing_group_id": "0", - "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", - "template_version": "22", - "timestamp": "2021-05-21T09:32:28.000Z", - "uuid": "42a88ad4-6834-46a9-a18b-aff9e078a4ea" - }, - "orgc": { - "id": "1", - "local": true, - "name": "ORGNAME", - "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" - } - }, - "tags": [ - "preserve_original_event" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "provider": "misp", - "scanner_stats": 0 - } - }, - "user": { - "email": "admin@admin.test", - "roles": [ - "reporting_user" - ] - } - }, - { - "@timestamp": "2021-05-21T10:22:12.000Z", - "ecs": { - "version": "8.9.0" - }, - "event": { - "category": [ - "threat" - ], - "kind": "enrichment", - "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Payload delivery\",\"comment\":\"filename contect for test event 3\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3633\",\"first_seen\":null,\"id\":\"266263\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1621589229\",\"to_ids\":false,\"type\":\"filename\",\"uuid\":\"3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3\",\"value\":\"thetestfile.txt\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Other\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":true,\"distribution\":\"5\",\"event_id\":\"3633\",\"first_seen\":null,\"id\":\"266268\",\"last_seen\":null,\"object_id\":\"18207\",\"object_relation\":\"size-in-bytes\",\"sharing_group_id\":\"0\",\"timestamp\":\"1621589548\",\"to_ids\":false,\"type\":\"size-in-bytes\",\"uuid\":\"e378b4d9-43e1-4c64-bd4e-70fce2b4e581\",\"value\":\"505050\"},\"ObjectReference\":[],\"comment\":\"File object for event 3\",\"deleted\":false,\"description\":\"File object describing a file with meta-information\",\"distribution\":\"5\",\"event_id\":\"3633\",\"first_seen\":null,\"id\":\"18207\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"file\",\"sharing_group_id\":\"0\",\"template_uuid\":\"688c46fb-5edb-40a3-8273-1af7923e2215\",\"template_version\":\"22\",\"timestamp\":\"1621589548\",\"uuid\":\"42a88ad4-6834-46a9-a18b-aff9e078a4ea\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[{\"Event\":{\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"analysis\":\"0\",\"date\":\"2021-05-21\",\"distribution\":\"1\",\"id\":\"3631\",\"info\":\"Test event 1 just atrributes\",\"org_id\":\"1\",\"orgc_id\":\"1\",\"published\":false,\"threat_level_id\":\"1\",\"timestamp\":\"1621588162\",\"uuid\":\"8ca56ae9-3747-4172-93d2-808da1a4eaf3\"}}],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"6\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3633\",\"info\":\"Test event 3 objects and attributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1621592532\",\"uuid\":\"4edb20c7-8175-484d-bdcd-fce6872c1ef3\"}}", - "type": [ - "indicator" - ] - }, - "misp": { - "attribute": { - "category": "Other", - "comment": "", - "deleted": false, - "disable_correlation": true, - "distribution": 5, - "event_id": "3633", - "id": "266268", - "object_id": "18207", - "object_relation": "size-in-bytes", - "sharing_group_id": "0", - "timestamp": "2021-05-21T09:32:28.000Z", - "to_ids": false, - "type": "size-in-bytes", - "uuid": "e378b4d9-43e1-4c64-bd4e-70fce2b4e581", - "value": "505050" - }, - "context": { - "attribute": { - "category": "Payload delivery", - "comment": "filename contect for test event 3", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "3633", - "id": "266263", - "object_id": "0", - "sharing_group_id": "0", - "timestamp": "2021-05-21T09:27:09.000Z", - "to_ids": false, - "type": "filename", - "uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3", - "value": "thetestfile.txt" - } - }, - "event": { - "attribute_count": 6, - "date": "2021-05-21", - "disable_correlation": false, - "distribution": 1, - "extends_uuid": "", - "id": "3633", - "info": "Test event 3 objects and attributes", - "locked": false, - "org_id": "1", - "orgc_id": "1", - "proposal_email_lock": false, - "publish_timestamp": "1970-01-01T00:00:00.000Z", - "published": false, - "sharing_group_id": "0", - "threat_level_id": 1, - "uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3" - }, - "object": { - "comment": "File object for event 3", - "deleted": false, - "description": "File object describing a file with meta-information", - "distribution": 5, - "event_id": "3633", - "id": "18207", - "meta_category": "file", - "name": "file", - "sharing_group_id": "0", - "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", - "template_version": "22", - "timestamp": "2021-05-21T09:32:28.000Z", - "uuid": "42a88ad4-6834-46a9-a18b-aff9e078a4ea" - }, - "orgc": { - "id": "1", - "local": true, - "name": "ORGNAME", - "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" - } - }, - "tags": [ - "preserve_original_event" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "provider": "misp", - "scanner_stats": 0 - } - }, - "user": { - "email": "admin@admin.test", - "roles": [ - "reporting_user" - ] - } - }, - { - "@timestamp": "2021-05-21T10:22:12.000Z", - "ecs": { - "version": "8.9.0" - }, - "event": { - "category": [ - "threat" - ], - "kind": "enrichment", - "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Payload delivery\",\"comment\":\"filename contect for test event 3\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3633\",\"first_seen\":null,\"id\":\"266263\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1621589229\",\"to_ids\":false,\"type\":\"filename\",\"uuid\":\"3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3\",\"value\":\"thetestfile.txt\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Payload delivery\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3633\",\"first_seen\":null,\"id\":\"266264\",\"last_seen\":null,\"object_id\":\"18207\",\"object_relation\":\"md5\",\"sharing_group_id\":\"0\",\"timestamp\":\"1621589548\",\"to_ids\":true,\"type\":\"md5\",\"uuid\":\"787b3822-0bec-4278-b34a-5d649e7bce05\",\"value\":\"70461da8b94c6ca5d2fda3260c5a8c3b\"},\"ObjectReference\":[],\"comment\":\"File object for event 3\",\"deleted\":false,\"description\":\"File object describing a file with meta-information\",\"distribution\":\"5\",\"event_id\":\"3633\",\"first_seen\":null,\"id\":\"18207\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"file\",\"sharing_group_id\":\"0\",\"template_uuid\":\"688c46fb-5edb-40a3-8273-1af7923e2215\",\"template_version\":\"22\",\"timestamp\":\"1621589548\",\"uuid\":\"42a88ad4-6834-46a9-a18b-aff9e078a4ea\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[{\"Event\":{\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"analysis\":\"0\",\"date\":\"2021-05-21\",\"distribution\":\"1\",\"id\":\"3631\",\"info\":\"Test event 1 just atrributes\",\"org_id\":\"1\",\"orgc_id\":\"1\",\"published\":false,\"threat_level_id\":\"1\",\"timestamp\":\"1621588162\",\"uuid\":\"8ca56ae9-3747-4172-93d2-808da1a4eaf3\"}}],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"6\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3633\",\"info\":\"Test event 3 objects and attributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1621592532\",\"uuid\":\"4edb20c7-8175-484d-bdcd-fce6872c1ef3\"}}", - "type": [ - "indicator" - ] - }, - "misp": { - "attribute": { - "category": "Payload delivery", - "comment": "", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "3633", - "id": "266264", - "object_id": "18207", - "object_relation": "md5", - "sharing_group_id": "0", - "timestamp": "2021-05-21T09:32:28.000Z", - "to_ids": true, - "type": "md5", - "uuid": "787b3822-0bec-4278-b34a-5d649e7bce05" - }, - "context": { - "attribute": { - "category": "Payload delivery", - "comment": "filename contect for test event 3", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "3633", - "id": "266263", - "object_id": "0", - "sharing_group_id": "0", - "timestamp": "2021-05-21T09:27:09.000Z", - "to_ids": false, - "type": "filename", - "uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3", - "value": "thetestfile.txt" - } - }, - "event": { - "attribute_count": 6, - "date": "2021-05-21", - "disable_correlation": false, - "distribution": 1, - "extends_uuid": "", - "id": "3633", - "info": "Test event 3 objects and attributes", - "locked": false, - "org_id": "1", - "orgc_id": "1", - "proposal_email_lock": false, - "publish_timestamp": "1970-01-01T00:00:00.000Z", - "published": false, - "sharing_group_id": "0", - "threat_level_id": 1, - "uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3" - }, - "object": { - "comment": "File object for event 3", - "deleted": false, - "description": "File object describing a file with meta-information", - "distribution": 5, - "event_id": "3633", - "id": "18207", - "meta_category": "file", - "name": "file", - "sharing_group_id": "0", - "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", - "template_version": "22", - "timestamp": "2021-05-21T09:32:28.000Z", - "uuid": "42a88ad4-6834-46a9-a18b-aff9e078a4ea" - }, - "orgc": { - "id": "1", - "local": true, - "name": "ORGNAME", - "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" - } - }, - "tags": [ - "preserve_original_event" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "file": { - "hash": { - "md5": "70461da8b94c6ca5d2fda3260c5a8c3b" - } - }, - "provider": "misp", - "scanner_stats": 0, - "type": "file" - } - }, - "user": { - "email": "admin@admin.test", - "roles": [ - "reporting_user" - ] - } - }, - { - "@timestamp": "2021-05-21T10:22:12.000Z", - "ecs": { - "version": "8.9.0" - }, - "event": { - "category": [ - "threat" - ], - "kind": "enrichment", - "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Payload delivery\",\"comment\":\"filename contect for test event 3\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3633\",\"first_seen\":null,\"id\":\"266263\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1621589229\",\"to_ids\":false,\"type\":\"filename\",\"uuid\":\"3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3\",\"value\":\"thetestfile.txt\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Payload delivery\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3633\",\"first_seen\":null,\"id\":\"266265\",\"last_seen\":null,\"object_id\":\"18207\",\"object_relation\":\"sha256\",\"sharing_group_id\":\"0\",\"timestamp\":\"1621589548\",\"to_ids\":true,\"type\":\"sha256\",\"uuid\":\"657c5f2b-9d68-4ff7-a9ad-ab9e6a6c953e\",\"value\":\"f33c27745f2bd87344be790465ef984a972fd539dc83bd4f61d4242c607ef1ee\"},\"ObjectReference\":[],\"comment\":\"File object for event 3\",\"deleted\":false,\"description\":\"File object describing a file with meta-information\",\"distribution\":\"5\",\"event_id\":\"3633\",\"first_seen\":null,\"id\":\"18207\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"file\",\"sharing_group_id\":\"0\",\"template_uuid\":\"688c46fb-5edb-40a3-8273-1af7923e2215\",\"template_version\":\"22\",\"timestamp\":\"1621589548\",\"uuid\":\"42a88ad4-6834-46a9-a18b-aff9e078a4ea\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[{\"Event\":{\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"analysis\":\"0\",\"date\":\"2021-05-21\",\"distribution\":\"1\",\"id\":\"3631\",\"info\":\"Test event 1 just atrributes\",\"org_id\":\"1\",\"orgc_id\":\"1\",\"published\":false,\"threat_level_id\":\"1\",\"timestamp\":\"1621588162\",\"uuid\":\"8ca56ae9-3747-4172-93d2-808da1a4eaf3\"}}],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"6\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3633\",\"info\":\"Test event 3 objects and attributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1621592532\",\"uuid\":\"4edb20c7-8175-484d-bdcd-fce6872c1ef3\"}}", - "type": [ - "indicator" - ] - }, - "misp": { - "attribute": { - "category": "Payload delivery", - "comment": "", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "3633", - "id": "266265", - "object_id": "18207", - "object_relation": "sha256", - "sharing_group_id": "0", - "timestamp": "2021-05-21T09:32:28.000Z", - "to_ids": true, - "type": "sha256", - "uuid": "657c5f2b-9d68-4ff7-a9ad-ab9e6a6c953e" - }, - "context": { - "attribute": { - "category": "Payload delivery", - "comment": "filename contect for test event 3", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "3633", - "id": "266263", - "object_id": "0", - "sharing_group_id": "0", - "timestamp": "2021-05-21T09:27:09.000Z", - "to_ids": false, - "type": "filename", - "uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3", - "value": "thetestfile.txt" - } - }, - "event": { - "attribute_count": 6, - "date": "2021-05-21", - "disable_correlation": false, - "distribution": 1, - "extends_uuid": "", - "id": "3633", - "info": "Test event 3 objects and attributes", - "locked": false, - "org_id": "1", - "orgc_id": "1", - "proposal_email_lock": false, - "publish_timestamp": "1970-01-01T00:00:00.000Z", - "published": false, - "sharing_group_id": "0", - "threat_level_id": 1, - "uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3" - }, - "object": { - "comment": "File object for event 3", - "deleted": false, - "description": "File object describing a file with meta-information", - "distribution": 5, - "event_id": "3633", - "id": "18207", - "meta_category": "file", - "name": "file", - "sharing_group_id": "0", - "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", - "template_version": "22", - "timestamp": "2021-05-21T09:32:28.000Z", - "uuid": "42a88ad4-6834-46a9-a18b-aff9e078a4ea" - }, - "orgc": { - "id": "1", - "local": true, - "name": "ORGNAME", - "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" - } - }, - "tags": [ - "preserve_original_event" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "file": { - "hash": { - "sha256": "f33c27745f2bd87344be790465ef984a972fd539dc83bd4f61d4242c607ef1ee" - } - }, - "provider": "misp", - "scanner_stats": 0, - "type": "file" - } - }, - "user": { - "email": "admin@admin.test", - "roles": [ - "reporting_user" - ] - } - }, - { - "@timestamp": "2021-05-21T10:22:12.000Z", - "ecs": { - "version": "8.9.0" - }, - "event": { - "category": [ - "threat" - ], - "kind": "enrichment", - "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Payload delivery\",\"comment\":\"filename contect for test event 3\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3633\",\"first_seen\":null,\"id\":\"266263\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1621589229\",\"to_ids\":false,\"type\":\"filename\",\"uuid\":\"3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3\",\"value\":\"thetestfile.txt\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Payload delivery\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":true,\"distribution\":\"5\",\"event_id\":\"3633\",\"first_seen\":null,\"id\":\"266266\",\"last_seen\":null,\"object_id\":\"18207\",\"object_relation\":\"filename\",\"sharing_group_id\":\"0\",\"timestamp\":\"1621589548\",\"to_ids\":true,\"type\":\"filename\",\"uuid\":\"6648d129-9200-431b-9b41-263a84f7c9d2\",\"value\":\"filenameofobject.txt\"},\"ObjectReference\":[],\"comment\":\"File object for event 3\",\"deleted\":false,\"description\":\"File object describing a file with meta-information\",\"distribution\":\"5\",\"event_id\":\"3633\",\"first_seen\":null,\"id\":\"18207\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"file\",\"sharing_group_id\":\"0\",\"template_uuid\":\"688c46fb-5edb-40a3-8273-1af7923e2215\",\"template_version\":\"22\",\"timestamp\":\"1621589548\",\"uuid\":\"42a88ad4-6834-46a9-a18b-aff9e078a4ea\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[{\"Event\":{\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"analysis\":\"0\",\"date\":\"2021-05-21\",\"distribution\":\"1\",\"id\":\"3631\",\"info\":\"Test event 1 just atrributes\",\"org_id\":\"1\",\"orgc_id\":\"1\",\"published\":false,\"threat_level_id\":\"1\",\"timestamp\":\"1621588162\",\"uuid\":\"8ca56ae9-3747-4172-93d2-808da1a4eaf3\"}}],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"6\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3633\",\"info\":\"Test event 3 objects and attributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1621592532\",\"uuid\":\"4edb20c7-8175-484d-bdcd-fce6872c1ef3\"}}", - "type": [ - "indicator" - ] - }, - "misp": { - "attribute": { - "category": "Payload delivery", - "comment": "", - "deleted": false, - "disable_correlation": true, - "distribution": 5, - "event_id": "3633", - "id": "266266", - "object_id": "18207", - "object_relation": "filename", - "sharing_group_id": "0", - "timestamp": "2021-05-21T09:32:28.000Z", - "to_ids": true, - "type": "filename", - "uuid": "6648d129-9200-431b-9b41-263a84f7c9d2" - }, - "context": { - "attribute": { - "category": "Payload delivery", - "comment": "filename contect for test event 3", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "3633", - "id": "266263", - "object_id": "0", - "sharing_group_id": "0", - "timestamp": "2021-05-21T09:27:09.000Z", - "to_ids": false, - "type": "filename", - "uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3", - "value": "thetestfile.txt" - } - }, - "event": { - "attribute_count": 6, - "date": "2021-05-21", - "disable_correlation": false, - "distribution": 1, - "extends_uuid": "", - "id": "3633", - "info": "Test event 3 objects and attributes", - "locked": false, - "org_id": "1", - "orgc_id": "1", - "proposal_email_lock": false, - "publish_timestamp": "1970-01-01T00:00:00.000Z", - "published": false, - "sharing_group_id": "0", - "threat_level_id": 1, - "uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3" - }, - "object": { - "comment": "File object for event 3", - "deleted": false, - "description": "File object describing a file with meta-information", - "distribution": 5, - "event_id": "3633", - "id": "18207", - "meta_category": "file", - "name": "file", - "sharing_group_id": "0", - "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", - "template_version": "22", - "timestamp": "2021-05-21T09:32:28.000Z", - "uuid": "42a88ad4-6834-46a9-a18b-aff9e078a4ea" - }, - "orgc": { - "id": "1", - "local": true, - "name": "ORGNAME", - "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" - } - }, - "tags": [ - "preserve_original_event" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "file": { - "name": "filenameofobject.txt" - }, - "provider": "misp", - "scanner_stats": 0, - "type": "file" - } - }, - "user": { - "email": "admin@admin.test", - "roles": [ - "reporting_user" - ] - } - }, - { - "@timestamp": "2021-05-21T10:09:30.000Z", - "ecs": { - "version": "8.9.0" - }, - "event": { - "category": [ - "threat" - ], - "kind": "enrichment", - "original": "{\"Event\":{\"Attribute\":[],\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Other\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":true,\"distribution\":\"5\",\"event_id\":\"3634\",\"first_seen\":null,\"id\":\"266269\",\"last_seen\":null,\"object_id\":\"18208\",\"object_relation\":\"text\",\"sharing_group_id\":\"0\",\"timestamp\":\"1621591770\",\"to_ids\":false,\"type\":\"text\",\"uuid\":\"25d2f181-26ae-4d6f-b4fd-85b9d1f82e67\",\"value\":\"Free text in the file object\"},\"ObjectReference\":[],\"comment\":\"File object for test event 4 \",\"deleted\":false,\"description\":\"File object describing a file with meta-information\",\"distribution\":\"5\",\"event_id\":\"3634\",\"first_seen\":null,\"id\":\"18208\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"file\",\"sharing_group_id\":\"0\",\"template_uuid\":\"688c46fb-5edb-40a3-8273-1af7923e2215\",\"template_version\":\"22\",\"timestamp\":\"1621591770\",\"uuid\":\"190c762c-a389-4ecc-8f6e-68f92d42adef\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"3\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3634\",\"info\":\"Test event 4 with object\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"3\",\"timestamp\":\"1621591770\",\"uuid\":\"d98a8418-9f90-4b50-a623-6921ca5b356d\"}}", - "type": [ - "indicator" - ] - }, - "misp": { - "attribute": { - "category": "Other", - "comment": "", - "deleted": false, - "disable_correlation": true, - "distribution": 5, - "event_id": "3634", - "id": "266269", - "object_id": "18208", - "object_relation": "text", - "sharing_group_id": "0", - "timestamp": "2021-05-21T10:09:30.000Z", - "to_ids": false, - "type": "text", - "uuid": "25d2f181-26ae-4d6f-b4fd-85b9d1f82e67", - "value": "Free text in the file object" - }, - "event": { - "attribute_count": 3, - "date": "2021-05-21", - "disable_correlation": false, - "distribution": 1, - "extends_uuid": "", - "id": "3634", - "info": "Test event 4 with object", - "locked": false, - "org_id": "1", - "orgc_id": "1", - "proposal_email_lock": false, - "publish_timestamp": "1970-01-01T00:00:00.000Z", - "published": false, - "sharing_group_id": "0", - "threat_level_id": 3, - "uuid": "d98a8418-9f90-4b50-a623-6921ca5b356d" - }, - "object": { - "comment": "File object for test event 4 ", - "deleted": false, - "description": "File object describing a file with meta-information", - "distribution": 5, - "event_id": "3634", - "id": "18208", - "meta_category": "file", - "name": "file", - "sharing_group_id": "0", - "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", - "template_version": "22", - "timestamp": "2021-05-21T10:09:30.000Z", - "uuid": "190c762c-a389-4ecc-8f6e-68f92d42adef" - }, - "orgc": { - "id": "1", - "local": true, - "name": "ORGNAME", - "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" - } - }, - "tags": [ - "preserve_original_event" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "provider": "misp", - "scanner_stats": 0 - } - }, - "user": { - "email": "admin@admin.test", - "roles": [ - "reporting_user" - ] - } - }, - { - "@timestamp": "2021-05-21T10:09:30.000Z", - "ecs": { - "version": "8.9.0" - }, - "event": { - "category": [ - "threat" - ], - "kind": "enrichment", - "original": "{\"Event\":{\"Attribute\":[],\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Payload delivery\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3634\",\"first_seen\":null,\"id\":\"266270\",\"last_seen\":null,\"object_id\":\"18208\",\"object_relation\":\"sha256\",\"sharing_group_id\":\"0\",\"timestamp\":\"1621591770\",\"to_ids\":true,\"type\":\"sha256\",\"uuid\":\"4e579782-346b-44b3-b72c-1cae8d87cb25\",\"value\":\"567caa7653723f8818ec9eb6f2e27f6d9d8c0aca0c96fc457659340e7bbdc666\"},\"ObjectReference\":[],\"comment\":\"File object for test event 4 \",\"deleted\":false,\"description\":\"File object describing a file with meta-information\",\"distribution\":\"5\",\"event_id\":\"3634\",\"first_seen\":null,\"id\":\"18208\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"file\",\"sharing_group_id\":\"0\",\"template_uuid\":\"688c46fb-5edb-40a3-8273-1af7923e2215\",\"template_version\":\"22\",\"timestamp\":\"1621591770\",\"uuid\":\"190c762c-a389-4ecc-8f6e-68f92d42adef\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"3\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3634\",\"info\":\"Test event 4 with object\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"3\",\"timestamp\":\"1621591770\",\"uuid\":\"d98a8418-9f90-4b50-a623-6921ca5b356d\"}}", - "type": [ - "indicator" - ] - }, - "misp": { - "attribute": { - "category": "Payload delivery", - "comment": "", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "3634", - "id": "266270", - "object_id": "18208", - "object_relation": "sha256", - "sharing_group_id": "0", - "timestamp": "2021-05-21T10:09:30.000Z", - "to_ids": true, - "type": "sha256", - "uuid": "4e579782-346b-44b3-b72c-1cae8d87cb25" - }, - "event": { - "attribute_count": 3, - "date": "2021-05-21", - "disable_correlation": false, - "distribution": 1, - "extends_uuid": "", - "id": "3634", - "info": "Test event 4 with object", - "locked": false, - "org_id": "1", - "orgc_id": "1", - "proposal_email_lock": false, - "publish_timestamp": "1970-01-01T00:00:00.000Z", - "published": false, - "sharing_group_id": "0", - "threat_level_id": 3, - "uuid": "d98a8418-9f90-4b50-a623-6921ca5b356d" - }, - "object": { - "comment": "File object for test event 4 ", - "deleted": false, - "description": "File object describing a file with meta-information", - "distribution": 5, - "event_id": "3634", - "id": "18208", - "meta_category": "file", - "name": "file", - "sharing_group_id": "0", - "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", - "template_version": "22", - "timestamp": "2021-05-21T10:09:30.000Z", - "uuid": "190c762c-a389-4ecc-8f6e-68f92d42adef" - }, - "orgc": { - "id": "1", - "local": true, - "name": "ORGNAME", - "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" - } - }, - "tags": [ - "preserve_original_event" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "file": { - "hash": { - "sha256": "567caa7653723f8818ec9eb6f2e27f6d9d8c0aca0c96fc457659340e7bbdc666" - } - }, - "provider": "misp", - "scanner_stats": 0, - "type": "file" - } - }, - "user": { - "email": "admin@admin.test", - "roles": [ - "reporting_user" - ] - } - }, - { - "@timestamp": "2021-05-21T10:09:30.000Z", - "ecs": { - "version": "8.9.0" - }, - "event": { - "category": [ - "threat" - ], - "kind": "enrichment", - "original": "{\"Event\":{\"Attribute\":[],\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Payload delivery\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":true,\"distribution\":\"5\",\"event_id\":\"3634\",\"first_seen\":null,\"id\":\"266271\",\"last_seen\":null,\"object_id\":\"18208\",\"object_relation\":\"filename\",\"sharing_group_id\":\"0\",\"timestamp\":\"1621591770\",\"to_ids\":true,\"type\":\"filename\",\"uuid\":\"a40343b5-a480-4288-9b0c-7ae074a77140\",\"value\":\"filenameinmispobject.txt\"},\"ObjectReference\":[],\"comment\":\"File object for test event 4 \",\"deleted\":false,\"description\":\"File object describing a file with meta-information\",\"distribution\":\"5\",\"event_id\":\"3634\",\"first_seen\":null,\"id\":\"18208\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"file\",\"sharing_group_id\":\"0\",\"template_uuid\":\"688c46fb-5edb-40a3-8273-1af7923e2215\",\"template_version\":\"22\",\"timestamp\":\"1621591770\",\"uuid\":\"190c762c-a389-4ecc-8f6e-68f92d42adef\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"3\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3634\",\"info\":\"Test event 4 with object\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"3\",\"timestamp\":\"1621591770\",\"uuid\":\"d98a8418-9f90-4b50-a623-6921ca5b356d\"}}", - "type": [ - "indicator" - ] - }, - "misp": { - "attribute": { - "category": "Payload delivery", - "comment": "", - "deleted": false, - "disable_correlation": true, - "distribution": 5, - "event_id": "3634", - "id": "266271", - "object_id": "18208", - "object_relation": "filename", - "sharing_group_id": "0", - "timestamp": "2021-05-21T10:09:30.000Z", - "to_ids": true, - "type": "filename", - "uuid": "a40343b5-a480-4288-9b0c-7ae074a77140" - }, - "event": { - "attribute_count": 3, - "date": "2021-05-21", - "disable_correlation": false, - "distribution": 1, - "extends_uuid": "", - "id": "3634", - "info": "Test event 4 with object", - "locked": false, - "org_id": "1", - "orgc_id": "1", - "proposal_email_lock": false, - "publish_timestamp": "1970-01-01T00:00:00.000Z", - "published": false, - "sharing_group_id": "0", - "threat_level_id": 3, - "uuid": "d98a8418-9f90-4b50-a623-6921ca5b356d" - }, - "object": { - "comment": "File object for test event 4 ", - "deleted": false, - "description": "File object describing a file with meta-information", - "distribution": 5, - "event_id": "3634", - "id": "18208", - "meta_category": "file", - "name": "file", - "sharing_group_id": "0", - "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", - "template_version": "22", - "timestamp": "2021-05-21T10:09:30.000Z", - "uuid": "190c762c-a389-4ecc-8f6e-68f92d42adef" - }, - "orgc": { - "id": "1", - "local": true, - "name": "ORGNAME", - "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" - } - }, - "tags": [ - "preserve_original_event" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "file": { - "name": "filenameinmispobject.txt" - }, - "provider": "misp", - "scanner_stats": 0, - "type": "file" - } - }, - "user": { - "email": "admin@admin.test", - "roles": [ - "reporting_user" - ] - } - }, - { - "@timestamp": "2021-05-21T10:19:39.000Z", - "ecs": { - "version": "8.9.0" - }, - "event": { - "category": [ - "threat" - ], - "kind": "enrichment", - "original": "{\"Event\":{\"Attribute\":[],\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Other\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":true,\"distribution\":\"5\",\"event_id\":\"3635\",\"first_seen\":null,\"id\":\"266272\",\"last_seen\":null,\"object_id\":\"18209\",\"object_relation\":\"text\",\"sharing_group_id\":\"0\",\"timestamp\":\"1621592379\",\"to_ids\":false,\"type\":\"text\",\"uuid\":\"188a6a15-5704-4e4f-acba-22c55ab08fe8\",\"value\":\"Object 5 free text attribute in object\"},\"ObjectReference\":[],\"comment\":\"event 5 object comment\",\"deleted\":false,\"description\":\"File object describing a file with meta-information\",\"distribution\":\"5\",\"event_id\":\"3635\",\"first_seen\":null,\"id\":\"18209\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"file\",\"sharing_group_id\":\"0\",\"template_uuid\":\"688c46fb-5edb-40a3-8273-1af7923e2215\",\"template_version\":\"22\",\"timestamp\":\"1621592379\",\"uuid\":\"a62cb6fb-fa1c-45ce-abb8-b46da23631d5\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"5\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3635\",\"info\":\"Test event 5 with an object\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1621592379\",\"uuid\":\"8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e\"}}", - "type": [ - "indicator" - ] - }, - "misp": { - "attribute": { - "category": "Other", - "comment": "", - "deleted": false, - "disable_correlation": true, - "distribution": 5, - "event_id": "3635", - "id": "266272", - "object_id": "18209", - "object_relation": "text", - "sharing_group_id": "0", - "timestamp": "2021-05-21T10:19:39.000Z", - "to_ids": false, - "type": "text", - "uuid": "188a6a15-5704-4e4f-acba-22c55ab08fe8", - "value": "Object 5 free text attribute in object" - }, - "event": { - "attribute_count": 5, - "date": "2021-05-21", - "disable_correlation": false, - "distribution": 1, - "extends_uuid": "", - "id": "3635", - "info": "Test event 5 with an object", - "locked": false, - "org_id": "1", - "orgc_id": "1", - "proposal_email_lock": false, - "publish_timestamp": "1970-01-01T00:00:00.000Z", - "published": false, - "sharing_group_id": "0", - "threat_level_id": 1, - "uuid": "8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e" - }, - "object": { - "comment": "event 5 object comment", - "deleted": false, - "description": "File object describing a file with meta-information", - "distribution": 5, - "event_id": "3635", - "id": "18209", - "meta_category": "file", - "name": "file", - "sharing_group_id": "0", - "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", - "template_version": "22", - "timestamp": "2021-05-21T10:19:39.000Z", - "uuid": "a62cb6fb-fa1c-45ce-abb8-b46da23631d5" - }, - "orgc": { - "id": "1", - "local": true, - "name": "ORGNAME", - "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" - } - }, - "tags": [ - "preserve_original_event" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "provider": "misp", - "scanner_stats": 0 - } - }, - "user": { - "email": "admin@admin.test", - "roles": [ - "reporting_user" - ] - } - }, - { - "@timestamp": "2021-05-21T10:19:39.000Z", - "ecs": { - "version": "8.9.0" - }, - "event": { - "category": [ - "threat" - ], - "kind": "enrichment", - "original": "{\"Event\":{\"Attribute\":[],\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Other\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":true,\"distribution\":\"5\",\"event_id\":\"3635\",\"first_seen\":null,\"id\":\"266275\",\"last_seen\":null,\"object_id\":\"18209\",\"object_relation\":\"entropy\",\"sharing_group_id\":\"0\",\"timestamp\":\"1621592379\",\"to_ids\":false,\"type\":\"float\",\"uuid\":\"2400b103-4a33-4f92-ac04-a558b6c6e252\",\"value\":\"0.53535445\"},\"ObjectReference\":[],\"comment\":\"event 5 object comment\",\"deleted\":false,\"description\":\"File object describing a file with meta-information\",\"distribution\":\"5\",\"event_id\":\"3635\",\"first_seen\":null,\"id\":\"18209\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"file\",\"sharing_group_id\":\"0\",\"template_uuid\":\"688c46fb-5edb-40a3-8273-1af7923e2215\",\"template_version\":\"22\",\"timestamp\":\"1621592379\",\"uuid\":\"a62cb6fb-fa1c-45ce-abb8-b46da23631d5\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"5\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3635\",\"info\":\"Test event 5 with an object\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1621592379\",\"uuid\":\"8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e\"}}", - "type": [ - "indicator" - ] - }, - "misp": { - "attribute": { - "category": "Other", - "comment": "", - "deleted": false, - "disable_correlation": true, - "distribution": 5, - "event_id": "3635", - "id": "266275", - "object_id": "18209", - "object_relation": "entropy", - "sharing_group_id": "0", - "timestamp": "2021-05-21T10:19:39.000Z", - "to_ids": false, - "type": "float", - "uuid": "2400b103-4a33-4f92-ac04-a558b6c6e252", - "value": "0.53535445" - }, - "event": { - "attribute_count": 5, - "date": "2021-05-21", - "disable_correlation": false, - "distribution": 1, - "extends_uuid": "", - "id": "3635", - "info": "Test event 5 with an object", - "locked": false, - "org_id": "1", - "orgc_id": "1", - "proposal_email_lock": false, - "publish_timestamp": "1970-01-01T00:00:00.000Z", - "published": false, - "sharing_group_id": "0", - "threat_level_id": 1, - "uuid": "8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e" - }, - "object": { - "comment": "event 5 object comment", - "deleted": false, - "description": "File object describing a file with meta-information", - "distribution": 5, - "event_id": "3635", - "id": "18209", - "meta_category": "file", - "name": "file", - "sharing_group_id": "0", - "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", - "template_version": "22", - "timestamp": "2021-05-21T10:19:39.000Z", - "uuid": "a62cb6fb-fa1c-45ce-abb8-b46da23631d5" - }, - "orgc": { - "id": "1", - "local": true, - "name": "ORGNAME", - "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" - } - }, - "tags": [ - "preserve_original_event" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "provider": "misp", - "scanner_stats": 0 - } - }, - "user": { - "email": "admin@admin.test", - "roles": [ - "reporting_user" - ] - } - }, - { - "@timestamp": "2021-05-21T10:19:39.000Z", - "ecs": { - "version": "8.9.0" - }, - "event": { - "category": [ - "threat" - ], - "kind": "enrichment", - "original": "{\"Event\":{\"Attribute\":[],\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Other\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":true,\"distribution\":\"5\",\"event_id\":\"3635\",\"first_seen\":null,\"id\":\"266276\",\"last_seen\":null,\"object_id\":\"18209\",\"object_relation\":\"size-in-bytes\",\"sharing_group_id\":\"0\",\"timestamp\":\"1621592379\",\"to_ids\":false,\"type\":\"size-in-bytes\",\"uuid\":\"e5ea3ec0-cdf4-4d3e-bd66-a7bf384fd3d7\",\"value\":\"55555\"},\"ObjectReference\":[],\"comment\":\"event 5 object comment\",\"deleted\":false,\"description\":\"File object describing a file with meta-information\",\"distribution\":\"5\",\"event_id\":\"3635\",\"first_seen\":null,\"id\":\"18209\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"file\",\"sharing_group_id\":\"0\",\"template_uuid\":\"688c46fb-5edb-40a3-8273-1af7923e2215\",\"template_version\":\"22\",\"timestamp\":\"1621592379\",\"uuid\":\"a62cb6fb-fa1c-45ce-abb8-b46da23631d5\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"5\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3635\",\"info\":\"Test event 5 with an object\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1621592379\",\"uuid\":\"8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e\"}}", - "type": [ - "indicator" - ] - }, - "misp": { - "attribute": { - "category": "Other", - "comment": "", - "deleted": false, - "disable_correlation": true, - "distribution": 5, - "event_id": "3635", - "id": "266276", - "object_id": "18209", - "object_relation": "size-in-bytes", - "sharing_group_id": "0", - "timestamp": "2021-05-21T10:19:39.000Z", - "to_ids": false, - "type": "size-in-bytes", - "uuid": "e5ea3ec0-cdf4-4d3e-bd66-a7bf384fd3d7", - "value": "55555" - }, - "event": { - "attribute_count": 5, - "date": "2021-05-21", - "disable_correlation": false, - "distribution": 1, - "extends_uuid": "", - "id": "3635", - "info": "Test event 5 with an object", - "locked": false, - "org_id": "1", - "orgc_id": "1", - "proposal_email_lock": false, - "publish_timestamp": "1970-01-01T00:00:00.000Z", - "published": false, - "sharing_group_id": "0", - "threat_level_id": 1, - "uuid": "8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e" - }, - "object": { - "comment": "event 5 object comment", - "deleted": false, - "description": "File object describing a file with meta-information", - "distribution": 5, - "event_id": "3635", - "id": "18209", - "meta_category": "file", - "name": "file", - "sharing_group_id": "0", - "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", - "template_version": "22", - "timestamp": "2021-05-21T10:19:39.000Z", - "uuid": "a62cb6fb-fa1c-45ce-abb8-b46da23631d5" - }, - "orgc": { - "id": "1", - "local": true, - "name": "ORGNAME", - "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" - } - }, - "tags": [ - "preserve_original_event" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "provider": "misp", - "scanner_stats": 0 - } - }, - "user": { - "email": "admin@admin.test", - "roles": [ - "reporting_user" - ] - } - }, - { - "@timestamp": "2021-05-21T10:19:39.000Z", - "ecs": { - "version": "8.9.0" - }, - "event": { - "category": [ - "threat" - ], - "kind": "enrichment", - "original": "{\"Event\":{\"Attribute\":[],\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Payload delivery\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3635\",\"first_seen\":null,\"id\":\"266273\",\"last_seen\":null,\"object_id\":\"18209\",\"object_relation\":\"sha256\",\"sharing_group_id\":\"0\",\"timestamp\":\"1621592379\",\"to_ids\":true,\"type\":\"sha256\",\"uuid\":\"803f10bd-9087-4169-8699-277579a92693\",\"value\":\"567caa7653723f8818ec9eb6f2e27f6d9d8c0aca0c96fc457659340e7bbdc665\"},\"ObjectReference\":[],\"comment\":\"event 5 object comment\",\"deleted\":false,\"description\":\"File object describing a file with meta-information\",\"distribution\":\"5\",\"event_id\":\"3635\",\"first_seen\":null,\"id\":\"18209\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"file\",\"sharing_group_id\":\"0\",\"template_uuid\":\"688c46fb-5edb-40a3-8273-1af7923e2215\",\"template_version\":\"22\",\"timestamp\":\"1621592379\",\"uuid\":\"a62cb6fb-fa1c-45ce-abb8-b46da23631d5\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"5\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3635\",\"info\":\"Test event 5 with an object\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1621592379\",\"uuid\":\"8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e\"}}", - "type": [ - "indicator" - ] - }, - "misp": { - "attribute": { - "category": "Payload delivery", - "comment": "", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "3635", - "id": "266273", - "object_id": "18209", - "object_relation": "sha256", - "sharing_group_id": "0", - "timestamp": "2021-05-21T10:19:39.000Z", - "to_ids": true, - "type": "sha256", - "uuid": "803f10bd-9087-4169-8699-277579a92693" - }, - "event": { - "attribute_count": 5, - "date": "2021-05-21", - "disable_correlation": false, - "distribution": 1, - "extends_uuid": "", - "id": "3635", - "info": "Test event 5 with an object", - "locked": false, - "org_id": "1", - "orgc_id": "1", - "proposal_email_lock": false, - "publish_timestamp": "1970-01-01T00:00:00.000Z", - "published": false, - "sharing_group_id": "0", - "threat_level_id": 1, - "uuid": "8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e" - }, - "object": { - "comment": "event 5 object comment", - "deleted": false, - "description": "File object describing a file with meta-information", - "distribution": 5, - "event_id": "3635", - "id": "18209", - "meta_category": "file", - "name": "file", - "sharing_group_id": "0", - "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", - "template_version": "22", - "timestamp": "2021-05-21T10:19:39.000Z", - "uuid": "a62cb6fb-fa1c-45ce-abb8-b46da23631d5" - }, - "orgc": { - "id": "1", - "local": true, - "name": "ORGNAME", - "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" - } - }, - "tags": [ - "preserve_original_event" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "file": { - "hash": { - "sha256": "567caa7653723f8818ec9eb6f2e27f6d9d8c0aca0c96fc457659340e7bbdc665" - } - }, - "provider": "misp", - "scanner_stats": 0, - "type": "file" - } - }, - "user": { - "email": "admin@admin.test", - "roles": [ - "reporting_user" - ] - } - }, - { - "@timestamp": "2021-05-21T10:19:39.000Z", - "ecs": { - "version": "8.9.0" - }, - "event": { - "category": [ - "threat" - ], - "kind": "enrichment", - "original": "{\"Event\":{\"Attribute\":[],\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Payload delivery\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":true,\"distribution\":\"5\",\"event_id\":\"3635\",\"first_seen\":null,\"id\":\"266274\",\"last_seen\":null,\"object_id\":\"18209\",\"object_relation\":\"filename\",\"sharing_group_id\":\"0\",\"timestamp\":\"1621592379\",\"to_ids\":true,\"type\":\"filename\",\"uuid\":\"e5c7a9f0-c0e1-4024-9ab8-de8a1b403e4f\",\"value\":\"object5.txt\"},\"ObjectReference\":[],\"comment\":\"event 5 object comment\",\"deleted\":false,\"description\":\"File object describing a file with meta-information\",\"distribution\":\"5\",\"event_id\":\"3635\",\"first_seen\":null,\"id\":\"18209\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"file\",\"sharing_group_id\":\"0\",\"template_uuid\":\"688c46fb-5edb-40a3-8273-1af7923e2215\",\"template_version\":\"22\",\"timestamp\":\"1621592379\",\"uuid\":\"a62cb6fb-fa1c-45ce-abb8-b46da23631d5\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"5\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3635\",\"info\":\"Test event 5 with an object\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1621592379\",\"uuid\":\"8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e\"}}", - "type": [ - "indicator" - ] - }, - "misp": { - "attribute": { - "category": "Payload delivery", - "comment": "", - "deleted": false, - "disable_correlation": true, - "distribution": 5, - "event_id": "3635", - "id": "266274", - "object_id": "18209", - "object_relation": "filename", - "sharing_group_id": "0", - "timestamp": "2021-05-21T10:19:39.000Z", - "to_ids": true, - "type": "filename", - "uuid": "e5c7a9f0-c0e1-4024-9ab8-de8a1b403e4f" - }, - "event": { - "attribute_count": 5, - "date": "2021-05-21", - "disable_correlation": false, - "distribution": 1, - "extends_uuid": "", - "id": "3635", - "info": "Test event 5 with an object", - "locked": false, - "org_id": "1", - "orgc_id": "1", - "proposal_email_lock": false, - "publish_timestamp": "1970-01-01T00:00:00.000Z", - "published": false, - "sharing_group_id": "0", - "threat_level_id": 1, - "uuid": "8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e" - }, - "object": { - "comment": "event 5 object comment", - "deleted": false, - "description": "File object describing a file with meta-information", - "distribution": 5, - "event_id": "3635", - "id": "18209", - "meta_category": "file", - "name": "file", - "sharing_group_id": "0", - "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", - "template_version": "22", - "timestamp": "2021-05-21T10:19:39.000Z", - "uuid": "a62cb6fb-fa1c-45ce-abb8-b46da23631d5" - }, - "orgc": { - "id": "1", - "local": true, - "name": "ORGNAME", - "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" - } - }, - "tags": [ - "preserve_original_event" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "file": { - "name": "object5.txt" - }, - "provider": "misp", - "scanner_stats": 0, - "type": "file" - } - }, - "user": { - "email": "admin@admin.test", - "roles": [ - "reporting_user" - ] - } - }, - { - "@timestamp": "2021-05-28T11:19:41.000Z", - "ecs": { - "version": "8.9.0" - }, - "event": { - "category": [ - "threat" - ], - "kind": "enrichment", - "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Artifacts dropped\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"266277\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1622200249\",\"to_ids\":false,\"type\":\"windows-service-name\",\"uuid\":\"3bd56a61-77f0-4885-8d1c-8bd2e39b65fb\",\"value\":\"badmojopipe\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Other\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":true,\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"266278\",\"last_seen\":null,\"object_id\":\"18210\",\"object_relation\":\"text\",\"sharing_group_id\":\"0\",\"timestamp\":\"1622200348\",\"to_ids\":false,\"type\":\"text\",\"uuid\":\"955e34a5-a630-42c9-868d-6e3dcb575987\",\"value\":\"Excutable create bad pipe\"},\"ObjectReference\":[],\"comment\":\"\",\"deleted\":false,\"description\":\"File object describing a file with meta-information\",\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"18210\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"file\",\"sharing_group_id\":\"0\",\"template_uuid\":\"688c46fb-5edb-40a3-8273-1af7923e2215\",\"template_version\":\"22\",\"timestamp\":\"1622200348\",\"uuid\":\"afe43d99-d8b6-47fa-8e7b-3d3ece2f8366\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"9\",\"date\":\"2021-05-28\",\"disable_correlation\":false,\"distribution\":\"0\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3636\",\"info\":\"Test event 6 with multiple objects and multiple attributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1622200781\",\"uuid\":\"81aea1d1-bb23-4bcd-9b0c-496e9ce028df\"}}", - "type": [ - "indicator" - ] - }, - "misp": { - "attribute": { - "category": "Other", - "comment": "", - "deleted": false, - "disable_correlation": true, - "distribution": 5, - "event_id": "3636", - "id": "266278", - "object_id": "18210", - "object_relation": "text", - "sharing_group_id": "0", - "timestamp": "2021-05-28T11:12:28.000Z", - "to_ids": false, - "type": "text", - "uuid": "955e34a5-a630-42c9-868d-6e3dcb575987", - "value": "Excutable create bad pipe" - }, - "context": { - "attribute": { - "category": "Artifacts dropped", - "comment": "", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "3636", - "id": "266277", - "object_id": "0", - "sharing_group_id": "0", - "timestamp": "2021-05-28T11:10:49.000Z", - "to_ids": false, - "type": "windows-service-name", - "uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", - "value": "badmojopipe" - } - }, - "event": { - "attribute_count": 9, - "date": "2021-05-28", - "disable_correlation": false, - "distribution": 0, - "extends_uuid": "", - "id": "3636", - "info": "Test event 6 with multiple objects and multiple attributes", - "locked": false, - "org_id": "1", - "orgc_id": "1", - "proposal_email_lock": false, - "publish_timestamp": "1970-01-01T00:00:00.000Z", - "published": false, - "sharing_group_id": "0", - "threat_level_id": 1, - "uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df" - }, - "object": { - "comment": "", - "deleted": false, - "description": "File object describing a file with meta-information", - "distribution": 5, - "event_id": "3636", - "id": "18210", - "meta_category": "file", - "name": "file", - "sharing_group_id": "0", - "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", - "template_version": "22", - "timestamp": "2021-05-28T11:12:28.000Z", - "uuid": "afe43d99-d8b6-47fa-8e7b-3d3ece2f8366" - }, - "orgc": { - "id": "1", - "local": true, - "name": "ORGNAME", - "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" - } - }, - "tags": [ - "preserve_original_event" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "provider": "misp", - "scanner_stats": 0 - } - }, - "user": { - "email": "admin@admin.test", - "roles": [ - "reporting_user" - ] - } - }, - { - "@timestamp": "2021-05-28T11:19:41.000Z", - "ecs": { - "version": "8.9.0" - }, - "event": { - "category": [ - "threat" - ], - "kind": "enrichment", - "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Artifacts dropped\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"266277\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1622200249\",\"to_ids\":false,\"type\":\"windows-service-name\",\"uuid\":\"3bd56a61-77f0-4885-8d1c-8bd2e39b65fb\",\"value\":\"badmojopipe\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Other\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":true,\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"266281\",\"last_seen\":null,\"object_id\":\"18211\",\"object_relation\":\"size-in-bytes\",\"sharing_group_id\":\"0\",\"timestamp\":\"1622200780\",\"to_ids\":false,\"type\":\"size-in-bytes\",\"uuid\":\"2fa7721b-ad73-4914-b082-8d44233ced98\",\"value\":\"3892\"},\"ObjectReference\":[],\"comment\":\"\",\"deleted\":false,\"description\":\"Object describing a section of a Portable Executable\",\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"18211\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"pe-section\",\"sharing_group_id\":\"0\",\"template_uuid\":\"198a17d2-a135-4b25-9a32-5aa4e632014a\",\"template_version\":\"3\",\"timestamp\":\"1622200780\",\"uuid\":\"023be568-34d6-4df4-ae88-f4de0dbfcd9d\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"9\",\"date\":\"2021-05-28\",\"disable_correlation\":false,\"distribution\":\"0\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3636\",\"info\":\"Test event 6 with multiple objects and multiple attributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1622200781\",\"uuid\":\"81aea1d1-bb23-4bcd-9b0c-496e9ce028df\"}}", - "type": [ - "indicator" - ] - }, - "misp": { - "attribute": { - "category": "Other", - "comment": "", - "deleted": false, - "disable_correlation": true, - "distribution": 5, - "event_id": "3636", - "id": "266281", - "object_id": "18211", - "object_relation": "size-in-bytes", - "sharing_group_id": "0", - "timestamp": "2021-05-28T11:19:40.000Z", - "to_ids": false, - "type": "size-in-bytes", - "uuid": "2fa7721b-ad73-4914-b082-8d44233ced98", - "value": "3892" - }, - "context": { - "attribute": { - "category": "Artifacts dropped", - "comment": "", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "3636", - "id": "266277", - "object_id": "0", - "sharing_group_id": "0", - "timestamp": "2021-05-28T11:10:49.000Z", - "to_ids": false, - "type": "windows-service-name", - "uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", - "value": "badmojopipe" - } - }, - "event": { - "attribute_count": 9, - "date": "2021-05-28", - "disable_correlation": false, - "distribution": 0, - "extends_uuid": "", - "id": "3636", - "info": "Test event 6 with multiple objects and multiple attributes", - "locked": false, - "org_id": "1", - "orgc_id": "1", - "proposal_email_lock": false, - "publish_timestamp": "1970-01-01T00:00:00.000Z", - "published": false, - "sharing_group_id": "0", - "threat_level_id": 1, - "uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df" - }, - "object": { - "comment": "", - "deleted": false, - "description": "Object describing a section of a Portable Executable", - "distribution": 5, - "event_id": "3636", - "id": "18211", - "meta_category": "file", - "name": "pe-section", - "sharing_group_id": "0", - "template_uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a", - "template_version": "3", - "timestamp": "2021-05-28T11:19:40.000Z", - "uuid": "023be568-34d6-4df4-ae88-f4de0dbfcd9d" - }, - "orgc": { - "id": "1", - "local": true, - "name": "ORGNAME", - "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" - } - }, - "tags": [ - "preserve_original_event" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "provider": "misp", - "scanner_stats": 0 - } - }, - "user": { - "email": "admin@admin.test", - "roles": [ - "reporting_user" - ] - } - }, - { - "@timestamp": "2021-05-28T11:19:41.000Z", - "ecs": { - "version": "8.9.0" - }, - "event": { - "category": [ - "threat" - ], - "kind": "enrichment", - "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Artifacts dropped\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"266277\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1622200249\",\"to_ids\":false,\"type\":\"windows-service-name\",\"uuid\":\"3bd56a61-77f0-4885-8d1c-8bd2e39b65fb\",\"value\":\"badmojopipe\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Other\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":true,\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"266283\",\"last_seen\":null,\"object_id\":\"18211\",\"object_relation\":\"name\",\"sharing_group_id\":\"0\",\"timestamp\":\"1622200780\",\"to_ids\":false,\"type\":\"text\",\"uuid\":\"d35c1ff8-a69c-482b-8fb0-1182988d9468\",\"value\":\".data\"},\"ObjectReference\":[],\"comment\":\"\",\"deleted\":false,\"description\":\"Object describing a section of a Portable Executable\",\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"18211\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"pe-section\",\"sharing_group_id\":\"0\",\"template_uuid\":\"198a17d2-a135-4b25-9a32-5aa4e632014a\",\"template_version\":\"3\",\"timestamp\":\"1622200780\",\"uuid\":\"023be568-34d6-4df4-ae88-f4de0dbfcd9d\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"9\",\"date\":\"2021-05-28\",\"disable_correlation\":false,\"distribution\":\"0\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3636\",\"info\":\"Test event 6 with multiple objects and multiple attributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1622200781\",\"uuid\":\"81aea1d1-bb23-4bcd-9b0c-496e9ce028df\"}}", - "type": [ - "indicator" - ] - }, - "misp": { - "attribute": { - "category": "Other", - "comment": "", - "deleted": false, - "disable_correlation": true, - "distribution": 5, - "event_id": "3636", - "id": "266283", - "object_id": "18211", - "object_relation": "name", - "sharing_group_id": "0", - "timestamp": "2021-05-28T11:19:40.000Z", - "to_ids": false, - "type": "text", - "uuid": "d35c1ff8-a69c-482b-8fb0-1182988d9468", - "value": ".data" - }, - "context": { - "attribute": { - "category": "Artifacts dropped", - "comment": "", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "3636", - "id": "266277", - "object_id": "0", - "sharing_group_id": "0", - "timestamp": "2021-05-28T11:10:49.000Z", - "to_ids": false, - "type": "windows-service-name", - "uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", - "value": "badmojopipe" - } - }, - "event": { - "attribute_count": 9, - "date": "2021-05-28", - "disable_correlation": false, - "distribution": 0, - "extends_uuid": "", - "id": "3636", - "info": "Test event 6 with multiple objects and multiple attributes", - "locked": false, - "org_id": "1", - "orgc_id": "1", - "proposal_email_lock": false, - "publish_timestamp": "1970-01-01T00:00:00.000Z", - "published": false, - "sharing_group_id": "0", - "threat_level_id": 1, - "uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df" - }, - "object": { - "comment": "", - "deleted": false, - "description": "Object describing a section of a Portable Executable", - "distribution": 5, - "event_id": "3636", - "id": "18211", - "meta_category": "file", - "name": "pe-section", - "sharing_group_id": "0", - "template_uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a", - "template_version": "3", - "timestamp": "2021-05-28T11:19:40.000Z", - "uuid": "023be568-34d6-4df4-ae88-f4de0dbfcd9d" - }, - "orgc": { - "id": "1", - "local": true, - "name": "ORGNAME", - "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" - } - }, - "tags": [ - "preserve_original_event" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "provider": "misp", - "scanner_stats": 0 - } - }, - "user": { - "email": "admin@admin.test", - "roles": [ - "reporting_user" - ] - } - }, - { - "@timestamp": "2021-05-28T11:19:41.000Z", - "ecs": { - "version": "8.9.0" - }, - "event": { - "category": [ - "threat" - ], - "kind": "enrichment", - "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Artifacts dropped\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"266277\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1622200249\",\"to_ids\":false,\"type\":\"windows-service-name\",\"uuid\":\"3bd56a61-77f0-4885-8d1c-8bd2e39b65fb\",\"value\":\"badmojopipe\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Other\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":true,\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"266284\",\"last_seen\":null,\"object_id\":\"18211\",\"object_relation\":\"text\",\"sharing_group_id\":\"0\",\"timestamp\":\"1622200780\",\"to_ids\":false,\"type\":\"text\",\"uuid\":\"dc11971a-a676-4676-b24c-a45a8791e0b0\",\"value\":\"Extracted zip archive data\"},\"ObjectReference\":[],\"comment\":\"\",\"deleted\":false,\"description\":\"Object describing a section of a Portable Executable\",\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"18211\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"pe-section\",\"sharing_group_id\":\"0\",\"template_uuid\":\"198a17d2-a135-4b25-9a32-5aa4e632014a\",\"template_version\":\"3\",\"timestamp\":\"1622200780\",\"uuid\":\"023be568-34d6-4df4-ae88-f4de0dbfcd9d\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"9\",\"date\":\"2021-05-28\",\"disable_correlation\":false,\"distribution\":\"0\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3636\",\"info\":\"Test event 6 with multiple objects and multiple attributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1622200781\",\"uuid\":\"81aea1d1-bb23-4bcd-9b0c-496e9ce028df\"}}", - "type": [ - "indicator" - ] - }, - "misp": { - "attribute": { - "category": "Other", - "comment": "", - "deleted": false, - "disable_correlation": true, - "distribution": 5, - "event_id": "3636", - "id": "266284", - "object_id": "18211", - "object_relation": "text", - "sharing_group_id": "0", - "timestamp": "2021-05-28T11:19:40.000Z", - "to_ids": false, - "type": "text", - "uuid": "dc11971a-a676-4676-b24c-a45a8791e0b0", - "value": "Extracted zip archive data" - }, - "context": { - "attribute": { - "category": "Artifacts dropped", - "comment": "", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "3636", - "id": "266277", - "object_id": "0", - "sharing_group_id": "0", - "timestamp": "2021-05-28T11:10:49.000Z", - "to_ids": false, - "type": "windows-service-name", - "uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", - "value": "badmojopipe" - } - }, - "event": { - "attribute_count": 9, - "date": "2021-05-28", - "disable_correlation": false, - "distribution": 0, - "extends_uuid": "", - "id": "3636", - "info": "Test event 6 with multiple objects and multiple attributes", - "locked": false, - "org_id": "1", - "orgc_id": "1", - "proposal_email_lock": false, - "publish_timestamp": "1970-01-01T00:00:00.000Z", - "published": false, - "sharing_group_id": "0", - "threat_level_id": 1, - "uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df" - }, - "object": { - "comment": "", - "deleted": false, - "description": "Object describing a section of a Portable Executable", - "distribution": 5, - "event_id": "3636", - "id": "18211", - "meta_category": "file", - "name": "pe-section", - "sharing_group_id": "0", - "template_uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a", - "template_version": "3", - "timestamp": "2021-05-28T11:19:40.000Z", - "uuid": "023be568-34d6-4df4-ae88-f4de0dbfcd9d" - }, - "orgc": { - "id": "1", - "local": true, - "name": "ORGNAME", - "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" - } - }, - "tags": [ - "preserve_original_event" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "provider": "misp", - "scanner_stats": 0 - } - }, - "user": { - "email": "admin@admin.test", - "roles": [ - "reporting_user" - ] - } - }, - { - "@timestamp": "2021-05-28T11:19:41.000Z", - "ecs": { - "version": "8.9.0" - }, - "event": { - "category": [ - "threat" - ], - "kind": "enrichment", - "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Artifacts dropped\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"266277\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1622200249\",\"to_ids\":false,\"type\":\"windows-service-name\",\"uuid\":\"3bd56a61-77f0-4885-8d1c-8bd2e39b65fb\",\"value\":\"badmojopipe\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Other\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":true,\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"266285\",\"last_seen\":null,\"object_id\":\"18211\",\"object_relation\":\"entropy\",\"sharing_group_id\":\"0\",\"timestamp\":\"1622200780\",\"to_ids\":false,\"type\":\"float\",\"uuid\":\"a85c0cbb-25a8-4bc9-b146-3cba1020e5bb\",\"value\":\"7.93280431051\"},\"ObjectReference\":[],\"comment\":\"\",\"deleted\":false,\"description\":\"Object describing a section of a Portable Executable\",\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"18211\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"pe-section\",\"sharing_group_id\":\"0\",\"template_uuid\":\"198a17d2-a135-4b25-9a32-5aa4e632014a\",\"template_version\":\"3\",\"timestamp\":\"1622200780\",\"uuid\":\"023be568-34d6-4df4-ae88-f4de0dbfcd9d\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"9\",\"date\":\"2021-05-28\",\"disable_correlation\":false,\"distribution\":\"0\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3636\",\"info\":\"Test event 6 with multiple objects and multiple attributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1622200781\",\"uuid\":\"81aea1d1-bb23-4bcd-9b0c-496e9ce028df\"}}", - "type": [ - "indicator" - ] - }, - "misp": { - "attribute": { - "category": "Other", - "comment": "", - "deleted": false, - "disable_correlation": true, - "distribution": 5, - "event_id": "3636", - "id": "266285", - "object_id": "18211", - "object_relation": "entropy", - "sharing_group_id": "0", - "timestamp": "2021-05-28T11:19:40.000Z", - "to_ids": false, - "type": "float", - "uuid": "a85c0cbb-25a8-4bc9-b146-3cba1020e5bb", - "value": "7.93280431051" - }, - "context": { - "attribute": { - "category": "Artifacts dropped", - "comment": "", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "3636", - "id": "266277", - "object_id": "0", - "sharing_group_id": "0", - "timestamp": "2021-05-28T11:10:49.000Z", - "to_ids": false, - "type": "windows-service-name", - "uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", - "value": "badmojopipe" - } - }, - "event": { - "attribute_count": 9, - "date": "2021-05-28", - "disable_correlation": false, - "distribution": 0, - "extends_uuid": "", - "id": "3636", - "info": "Test event 6 with multiple objects and multiple attributes", - "locked": false, - "org_id": "1", - "orgc_id": "1", - "proposal_email_lock": false, - "publish_timestamp": "1970-01-01T00:00:00.000Z", - "published": false, - "sharing_group_id": "0", - "threat_level_id": 1, - "uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df" - }, - "object": { - "comment": "", - "deleted": false, - "description": "Object describing a section of a Portable Executable", - "distribution": 5, - "event_id": "3636", - "id": "18211", - "meta_category": "file", - "name": "pe-section", - "sharing_group_id": "0", - "template_uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a", - "template_version": "3", - "timestamp": "2021-05-28T11:19:40.000Z", - "uuid": "023be568-34d6-4df4-ae88-f4de0dbfcd9d" - }, - "orgc": { - "id": "1", - "local": true, - "name": "ORGNAME", - "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" - } - }, - "tags": [ - "preserve_original_event" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "provider": "misp", - "scanner_stats": 0 - } - }, - "user": { - "email": "admin@admin.test", - "roles": [ - "reporting_user" - ] - } - }, - { - "@timestamp": "2021-05-28T11:19:41.000Z", - "ecs": { - "version": "8.9.0" - }, - "event": { - "category": [ - "threat" - ], - "kind": "enrichment", - "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Artifacts dropped\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"266277\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1622200249\",\"to_ids\":false,\"type\":\"windows-service-name\",\"uuid\":\"3bd56a61-77f0-4885-8d1c-8bd2e39b65fb\",\"value\":\"badmojopipe\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Payload delivery\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"266279\",\"last_seen\":null,\"object_id\":\"18210\",\"object_relation\":\"md5\",\"sharing_group_id\":\"0\",\"timestamp\":\"1622200348\",\"to_ids\":true,\"type\":\"md5\",\"uuid\":\"1c97c043-5de2-41a1-b591-3237174cd290\",\"value\":\"7392463caf95534d56460bc9f360adc1\"},\"ObjectReference\":[],\"comment\":\"\",\"deleted\":false,\"description\":\"File object describing a file with meta-information\",\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"18210\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"file\",\"sharing_group_id\":\"0\",\"template_uuid\":\"688c46fb-5edb-40a3-8273-1af7923e2215\",\"template_version\":\"22\",\"timestamp\":\"1622200348\",\"uuid\":\"afe43d99-d8b6-47fa-8e7b-3d3ece2f8366\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"9\",\"date\":\"2021-05-28\",\"disable_correlation\":false,\"distribution\":\"0\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3636\",\"info\":\"Test event 6 with multiple objects and multiple attributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1622200781\",\"uuid\":\"81aea1d1-bb23-4bcd-9b0c-496e9ce028df\"}}", - "type": [ - "indicator" - ] - }, - "misp": { - "attribute": { - "category": "Payload delivery", - "comment": "", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "3636", - "id": "266279", - "object_id": "18210", - "object_relation": "md5", - "sharing_group_id": "0", - "timestamp": "2021-05-28T11:12:28.000Z", - "to_ids": true, - "type": "md5", - "uuid": "1c97c043-5de2-41a1-b591-3237174cd290" - }, - "context": { - "attribute": { - "category": "Artifacts dropped", - "comment": "", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "3636", - "id": "266277", - "object_id": "0", - "sharing_group_id": "0", - "timestamp": "2021-05-28T11:10:49.000Z", - "to_ids": false, - "type": "windows-service-name", - "uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", - "value": "badmojopipe" - } - }, - "event": { - "attribute_count": 9, - "date": "2021-05-28", - "disable_correlation": false, - "distribution": 0, - "extends_uuid": "", - "id": "3636", - "info": "Test event 6 with multiple objects and multiple attributes", - "locked": false, - "org_id": "1", - "orgc_id": "1", - "proposal_email_lock": false, - "publish_timestamp": "1970-01-01T00:00:00.000Z", - "published": false, - "sharing_group_id": "0", - "threat_level_id": 1, - "uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df" - }, - "object": { - "comment": "", - "deleted": false, - "description": "File object describing a file with meta-information", - "distribution": 5, - "event_id": "3636", - "id": "18210", - "meta_category": "file", - "name": "file", - "sharing_group_id": "0", - "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", - "template_version": "22", - "timestamp": "2021-05-28T11:12:28.000Z", - "uuid": "afe43d99-d8b6-47fa-8e7b-3d3ece2f8366" - }, - "orgc": { - "id": "1", - "local": true, - "name": "ORGNAME", - "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" - } - }, - "tags": [ - "preserve_original_event" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "file": { - "hash": { - "md5": "7392463caf95534d56460bc9f360adc1" - } - }, - "provider": "misp", - "scanner_stats": 0, - "type": "file" - } - }, - "user": { - "email": "admin@admin.test", - "roles": [ - "reporting_user" - ] - } - }, - { - "@timestamp": "2021-05-28T11:19:41.000Z", - "ecs": { - "version": "8.9.0" - }, - "event": { - "category": [ - "threat" - ], - "kind": "enrichment", - "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Artifacts dropped\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"266277\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1622200249\",\"to_ids\":false,\"type\":\"windows-service-name\",\"uuid\":\"3bd56a61-77f0-4885-8d1c-8bd2e39b65fb\",\"value\":\"badmojopipe\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Payload delivery\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"266282\",\"last_seen\":null,\"object_id\":\"18211\",\"object_relation\":\"md5\",\"sharing_group_id\":\"0\",\"timestamp\":\"1622200780\",\"to_ids\":true,\"type\":\"md5\",\"uuid\":\"f3b8696e-5390-4383-ace2-6e06bfae497d\",\"value\":\"7295463caf95534d56460bc9f360adc1\"},\"ObjectReference\":[],\"comment\":\"\",\"deleted\":false,\"description\":\"Object describing a section of a Portable Executable\",\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"18211\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"pe-section\",\"sharing_group_id\":\"0\",\"template_uuid\":\"198a17d2-a135-4b25-9a32-5aa4e632014a\",\"template_version\":\"3\",\"timestamp\":\"1622200780\",\"uuid\":\"023be568-34d6-4df4-ae88-f4de0dbfcd9d\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"9\",\"date\":\"2021-05-28\",\"disable_correlation\":false,\"distribution\":\"0\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3636\",\"info\":\"Test event 6 with multiple objects and multiple attributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1622200781\",\"uuid\":\"81aea1d1-bb23-4bcd-9b0c-496e9ce028df\"}}", - "type": [ - "indicator" - ] - }, - "misp": { - "attribute": { - "category": "Payload delivery", - "comment": "", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "3636", - "id": "266282", - "object_id": "18211", - "object_relation": "md5", - "sharing_group_id": "0", - "timestamp": "2021-05-28T11:19:40.000Z", - "to_ids": true, - "type": "md5", - "uuid": "f3b8696e-5390-4383-ace2-6e06bfae497d" - }, - "context": { - "attribute": { - "category": "Artifacts dropped", - "comment": "", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "3636", - "id": "266277", - "object_id": "0", - "sharing_group_id": "0", - "timestamp": "2021-05-28T11:10:49.000Z", - "to_ids": false, - "type": "windows-service-name", - "uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", - "value": "badmojopipe" - } - }, - "event": { - "attribute_count": 9, - "date": "2021-05-28", - "disable_correlation": false, - "distribution": 0, - "extends_uuid": "", - "id": "3636", - "info": "Test event 6 with multiple objects and multiple attributes", - "locked": false, - "org_id": "1", - "orgc_id": "1", - "proposal_email_lock": false, - "publish_timestamp": "1970-01-01T00:00:00.000Z", - "published": false, - "sharing_group_id": "0", - "threat_level_id": 1, - "uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df" - }, - "object": { - "comment": "", - "deleted": false, - "description": "Object describing a section of a Portable Executable", - "distribution": 5, - "event_id": "3636", - "id": "18211", - "meta_category": "file", - "name": "pe-section", - "sharing_group_id": "0", - "template_uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a", - "template_version": "3", - "timestamp": "2021-05-28T11:19:40.000Z", - "uuid": "023be568-34d6-4df4-ae88-f4de0dbfcd9d" - }, - "orgc": { - "id": "1", - "local": true, - "name": "ORGNAME", - "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" - } - }, - "tags": [ - "preserve_original_event" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "file": { - "hash": { - "md5": "7295463caf95534d56460bc9f360adc1" - } - }, - "provider": "misp", - "scanner_stats": 0, - "type": "file" - } - }, - "user": { - "email": "admin@admin.test", - "roles": [ - "reporting_user" - ] - } - }, - { - "@timestamp": "2021-05-28T11:19:41.000Z", - "ecs": { - "version": "8.9.0" - }, - "event": { - "category": [ - "threat" - ], - "kind": "enrichment", - "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Artifacts dropped\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"266277\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1622200249\",\"to_ids\":false,\"type\":\"windows-service-name\",\"uuid\":\"3bd56a61-77f0-4885-8d1c-8bd2e39b65fb\",\"value\":\"badmojopipe\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Payload delivery\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":true,\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"266280\",\"last_seen\":null,\"object_id\":\"18210\",\"object_relation\":\"filename\",\"sharing_group_id\":\"0\",\"timestamp\":\"1622200348\",\"to_ids\":true,\"type\":\"filename\",\"uuid\":\"2dfcb937-e6af-4b5d-ad50-f8eb975990f3\",\"value\":\"badmojopipe.exe\"},\"ObjectReference\":[],\"comment\":\"\",\"deleted\":false,\"description\":\"File object describing a file with meta-information\",\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"18210\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"file\",\"sharing_group_id\":\"0\",\"template_uuid\":\"688c46fb-5edb-40a3-8273-1af7923e2215\",\"template_version\":\"22\",\"timestamp\":\"1622200348\",\"uuid\":\"afe43d99-d8b6-47fa-8e7b-3d3ece2f8366\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"9\",\"date\":\"2021-05-28\",\"disable_correlation\":false,\"distribution\":\"0\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3636\",\"info\":\"Test event 6 with multiple objects and multiple attributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1622200781\",\"uuid\":\"81aea1d1-bb23-4bcd-9b0c-496e9ce028df\"}}", - "type": [ - "indicator" - ] - }, - "misp": { - "attribute": { - "category": "Payload delivery", - "comment": "", - "deleted": false, - "disable_correlation": true, - "distribution": 5, - "event_id": "3636", - "id": "266280", - "object_id": "18210", - "object_relation": "filename", - "sharing_group_id": "0", - "timestamp": "2021-05-28T11:12:28.000Z", - "to_ids": true, - "type": "filename", - "uuid": "2dfcb937-e6af-4b5d-ad50-f8eb975990f3" - }, - "context": { - "attribute": { - "category": "Artifacts dropped", - "comment": "", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "3636", - "id": "266277", - "object_id": "0", - "sharing_group_id": "0", - "timestamp": "2021-05-28T11:10:49.000Z", - "to_ids": false, - "type": "windows-service-name", - "uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", - "value": "badmojopipe" - } - }, - "event": { - "attribute_count": 9, - "date": "2021-05-28", - "disable_correlation": false, - "distribution": 0, - "extends_uuid": "", - "id": "3636", - "info": "Test event 6 with multiple objects and multiple attributes", - "locked": false, - "org_id": "1", - "orgc_id": "1", - "proposal_email_lock": false, - "publish_timestamp": "1970-01-01T00:00:00.000Z", - "published": false, - "sharing_group_id": "0", - "threat_level_id": 1, - "uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df" - }, - "object": { - "comment": "", - "deleted": false, - "description": "File object describing a file with meta-information", - "distribution": 5, - "event_id": "3636", - "id": "18210", - "meta_category": "file", - "name": "file", - "sharing_group_id": "0", - "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", - "template_version": "22", - "timestamp": "2021-05-28T11:12:28.000Z", - "uuid": "afe43d99-d8b6-47fa-8e7b-3d3ece2f8366" - }, - "orgc": { - "id": "1", - "local": true, - "name": "ORGNAME", - "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" - } - }, - "tags": [ - "preserve_original_event" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "file": { - "name": "badmojopipe.exe" - }, - "provider": "misp", - "scanner_stats": 0, - "type": "file" - } - }, - "user": { - "email": "admin@admin.test", - "roles": [ - "reporting_user" - ] - } - } - ] -} \ No newline at end of file diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-long-ndjson.log b/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-long-ndjson.log deleted file mode 100644 index ceb5f41cfb..0000000000 --- a/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-long-ndjson.log +++ /dev/null @@ -1,2 +0,0 @@ -{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Artifacts dropped","comment":"","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3636","first_seen":null,"id":"266277","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1622200249","to_ids":false,"type":"windows-service-name","uuid":"3bd56a61-77f0-4885-8d1c-8bd2e39b65fb","value":"badmojopipe"},"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Other","comment":"","deleted":false,"disable_correlation":true,"distribution":"5","event_id":"3636","first_seen":null,"id":"266285","last_seen":null,"object_id":"18211","object_relation":"entropy","sharing_group_id":"0","timestamp":"1622200780","to_ids":false,"type":"float","uuid":"a85c0cbb-25a8-4bc9-b146-3cba1020e5bb","value":"7.93280431051"},"ObjectReference":[],"comment":"","deleted":false,"description":"Object describing a section of a Portable Executable","distribution":"5","event_id":"3636","first_seen":null,"id":"18211","last_seen":null,"meta-category":"file","name":"pe-section","sharing_group_id":"0","template_uuid":"198a17d2-a135-4b25-9a32-5aa4e632014a","template_version":"3","timestamp":"1622200780","uuid":"023be568-34d6-4df4-ae88-f4de0dbfcd9d"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[],"ShadowAttribute":[],"analysis":"0","attribute_count":"9","date":"2021-05-28","disable_correlation":false,"distribution":"0","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3636","info":"Test event 6 with multiple objects and multiple attributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1622200781","uuid":"81aea1d1-bb23-4bcd-9b0c-496e9ce028df"}} -{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Artifacts dropped","comment":"","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3636","first_seen":null,"id":"266277","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1622200249","to_ids":false,"type":"windows-service-name","uuid":"3bd56a61-77f0-4885-8d1c-8bd2e39b65fb","value":"badmojopipe"},"EventReport":[],"Galaxy":[],"Object":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Payload delivery","comment":"","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"3636","first_seen":null,"id":"266279","last_seen":null,"object_id":"18210","object_relation":"md5","sharing_group_id":"0","timestamp":"1622200348","to_ids":true,"type":"md5","uuid":"1c97c043-5de2-41a1-b591-3237174cd290","value":"7392463caf95534d56460bc9f360adc1"},"ObjectReference":[],"comment":"","deleted":false,"description":"File object describing a file with meta-information","distribution":"5","event_id":"3636","first_seen":null,"id":"18210","last_seen":null,"meta-category":"file","name":"file","sharing_group_id":"0","template_uuid":"688c46fb-5edb-40a3-8273-1af7923e2215","template_version":"22","timestamp":"1622200348","uuid":"afe43d99-d8b6-47fa-8e7b-3d3ece2f8366"},"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"Orgc":{"id":"1","local":true,"name":"ORGNAME","uuid":"78acad2d-cc2d-4785-94d6-b428a0070488"},"RelatedEvent":[],"ShadowAttribute":[],"analysis":"0","attribute_count":"9","date":"2021-05-28","disable_correlation":false,"distribution":"0","event_creator_email":"admin@admin.test","extends_uuid":"","id":"3636","info":"Test event 6 with multiple objects and multiple attributes","locked":false,"org_id":"1","orgc_id":"1","proposal_email_lock":false,"publish_timestamp":"0","published":false,"sharing_group_id":"0","threat_level_id":"1","timestamp":"1622200781","uuid":"81aea1d1-bb23-4bcd-9b0c-496e9ce028df"}} diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-long-ndjson.log-config.yml b/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-long-ndjson.log-config.yml deleted file mode 100644 index c41ee36923..0000000000 --- a/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-long-ndjson.log-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -fields: - tags: ~ diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-long-ndjson.log-expected.json b/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-long-ndjson.log-expected.json deleted file mode 100644 index 407efc0fbe..0000000000 --- a/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-long-ndjson.log-expected.json +++ /dev/null @@ -1,221 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2021-05-28T11:19:41.000Z", - "ecs": { - "version": "8.9.0" - }, - "event": { - "category": [ - "threat" - ], - "kind": "enrichment", - "type": [ - "indicator" - ] - }, - "misp": { - "attribute": { - "category": "Other", - "comment": "", - "deleted": false, - "disable_correlation": true, - "distribution": 5, - "event_id": "3636", - "id": "266285", - "object_id": "18211", - "object_relation": "entropy", - "sharing_group_id": "0", - "timestamp": "2021-05-28T11:19:40.000Z", - "to_ids": false, - "type": "float", - "uuid": "a85c0cbb-25a8-4bc9-b146-3cba1020e5bb", - "value": "7.93280431051" - }, - "context": { - "attribute": { - "category": "Artifacts dropped", - "comment": "", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "3636", - "id": "266277", - "object_id": "0", - "sharing_group_id": "0", - "timestamp": "2021-05-28T11:10:49.000Z", - "to_ids": false, - "type": "windows-service-name", - "uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", - "value": "badmojopipe" - } - }, - "event": { - "attribute_count": 9, - "date": "2021-05-28", - "disable_correlation": false, - "distribution": 0, - "extends_uuid": "", - "id": "3636", - "info": "Test event 6 with multiple objects and multiple attributes", - "locked": false, - "org_id": "1", - "orgc_id": "1", - "proposal_email_lock": false, - "publish_timestamp": "1970-01-01T00:00:00.000Z", - "published": false, - "sharing_group_id": "0", - "threat_level_id": 1, - "uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df" - }, - "object": { - "comment": "", - "deleted": false, - "description": "Object describing a section of a Portable Executable", - "distribution": 5, - "event_id": "3636", - "id": "18211", - "meta_category": "file", - "name": "pe-section", - "sharing_group_id": "0", - "template_uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a", - "template_version": "3", - "timestamp": "2021-05-28T11:19:40.000Z", - "uuid": "023be568-34d6-4df4-ae88-f4de0dbfcd9d" - }, - "orgc": { - "id": "1", - "local": true, - "name": "ORGNAME", - "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" - } - }, - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "provider": "misp", - "scanner_stats": 0 - } - }, - "user": { - "email": "admin@admin.test", - "roles": [ - "reporting_user" - ] - } - }, - { - "@timestamp": "2021-05-28T11:19:41.000Z", - "ecs": { - "version": "8.9.0" - }, - "event": { - "category": [ - "threat" - ], - "kind": "enrichment", - "type": [ - "indicator" - ] - }, - "misp": { - "attribute": { - "category": "Payload delivery", - "comment": "", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "3636", - "id": "266279", - "object_id": "18210", - "object_relation": "md5", - "sharing_group_id": "0", - "timestamp": "2021-05-28T11:12:28.000Z", - "to_ids": true, - "type": "md5", - "uuid": "1c97c043-5de2-41a1-b591-3237174cd290" - }, - "context": { - "attribute": { - "category": "Artifacts dropped", - "comment": "", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "3636", - "id": "266277", - "object_id": "0", - "sharing_group_id": "0", - "timestamp": "2021-05-28T11:10:49.000Z", - "to_ids": false, - "type": "windows-service-name", - "uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", - "value": "badmojopipe" - } - }, - "event": { - "attribute_count": 9, - "date": "2021-05-28", - "disable_correlation": false, - "distribution": 0, - "extends_uuid": "", - "id": "3636", - "info": "Test event 6 with multiple objects and multiple attributes", - "locked": false, - "org_id": "1", - "orgc_id": "1", - "proposal_email_lock": false, - "publish_timestamp": "1970-01-01T00:00:00.000Z", - "published": false, - "sharing_group_id": "0", - "threat_level_id": 1, - "uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df" - }, - "object": { - "comment": "", - "deleted": false, - "description": "File object describing a file with meta-information", - "distribution": 5, - "event_id": "3636", - "id": "18210", - "meta_category": "file", - "name": "file", - "sharing_group_id": "0", - "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", - "template_version": "22", - "timestamp": "2021-05-28T11:12:28.000Z", - "uuid": "afe43d99-d8b6-47fa-8e7b-3d3ece2f8366" - }, - "orgc": { - "id": "1", - "local": true, - "name": "ORGNAME", - "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" - } - }, - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "file": { - "hash": { - "md5": "7392463caf95534d56460bc9f360adc1" - } - }, - "provider": "misp", - "scanner_stats": 0, - "type": "file" - } - }, - "user": { - "email": "admin@admin.test", - "roles": [ - "reporting_user" - ] - } - } - ] -} \ No newline at end of file diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-sample-ndjson.log b/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-sample-ndjson.log deleted file mode 100644 index 0641fb93f7..0000000000 --- a/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-sample-ndjson.log +++ /dev/null @@ -1,16 +0,0 @@ -{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Payload delivery","comment":"- Xchecked via VT: a683494fc0d017fd3b4638f8b84caaaac145cc28bc211bd7361723368b4bb21e","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"5","first_seen":null,"id":"351","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1503930272","to_ids":true,"type":"md5","uuid":"59a427a0-f6f8-4178-9e7d-dfd702de0b81","value":"f2679bdabe46e10edc6352fff3c829bc"},"EventReport":[],"Galaxy":[{"GalaxyCluster":[{"authors":["https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml","http://pastebin.com/raw/GHgpWjar","MISP Project"],"collection_uuid":"10cf658b-5d32-4c4b-bb32-61760a640372","description":"It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. CrySiS \\u003e Dharma Note: ATTENTION! At the moment, your system is not protected. We can fix it and restore files. To restore the system write to this address: bitcoin143@india.com. CrySiS variant","galaxy_id":"43","id":"6619","local":false,"meta":{"date":["November 2016"],"encryption":["AES + RSA-512"],"extensions":[".dharma",".wallet",".zzzzz",".cmb",".id-BCBEF350.[paymentbtc@firemail.cc].cmb",".bip",".id-BCBEF350.[Beamsell@qq.com].bip",".boost",".[Darknes@420blaze.it].waifu",".brrr",".adobe",".tron",".AUDIT",".cccmn",".fire",".myjob",".[cyberwars@qq.com].war",".risk",".RISK",".bkpx",".[newsantaclaus@aol.com].santa"],"payment-method":["Bitcoin - Email"],"ransomnotes":["all your data has been locked us\\nYou want to return?\\nwrite email paymentbtc@firemail.cc","All your files have been encrypted!\\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail paymentbtc@firemail.cc\\nWrite this ID in the title of your message ACBFF130\\nIn case of no answer in 24 hours write us to theese e-mails:paymentbtc@firemail.cc\\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.\\nFree decryption as guarantee\\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\\nHow to obtain Bitcoins\\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.\\nhttps://localbitcoins.com/buy_bitcoins\\nAlso you can find other places to buy Bitcoins and beginners guide here:\\nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/\\nAttention!\\nDo not rename encrypted files.\\nDo not try to decrypt your data using third party software, it may cause permanent data loss.\\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.","All your files have been encrypted!\\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail Beamsell@qq.com\\nWrite this ID in the title of your message BCBEF350\\nIn case of no answer in 24 hours write us to theese e-mails:Beamsell@qq.com\\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. \\nFree decryption as guarantee\\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) \\nHow to obtain Bitcoins\\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. \\nhttps://localbitcoins.com/buy_bitcoins \\nAlso you can find other places to buy Bitcoins and beginners guide here: \\nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/ \\nAttention!\\nDo not rename encrypted files. \\nDo not try to decrypt your data using third party software, it may cause permanent data loss.\\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.","all your data has been locked us\\nYou want to return?\\nwrite email Beamsell@qq.com"],"ransomnotes-filenames":["README.txt","README.jpg","Info.hta","FILES ENCRYPTED.txt","INFO.hta"],"ransomnotes-refs":["https://www.bleepstatic.com/images/news/ransomware/d/dharma/cmb/hta-ransom-note.jpg","https://pbs.twimg.com/media/Dmof_FiXsAAAvTN.jpg","https://pbs.twimg.com/media/Dmof_FyXsAEJmgQ.jpg","https://pbs.twimg.com/media/DrWqLWzXgAc4SlG.jpg","https://pbs.twimg.com/media/DuEBIMBW0AANnGW.jpg"],"refs":["https://id-ransomware.blogspot.co.il/2016/11/dharma-ransomware.html","https://www.bleepingcomputer.com/news/security/kaspersky-releases-decryptor-for-the-dharma-ransomware/","https://www.bleepingcomputer.com/news/security/new-cmb-dharma-ransomware-variant-released/","https://www.bleepingcomputer.com/news/security/new-bip-dharma-ransomware-variant-released/","https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/","https://twitter.com/demonslay335/status/1049313390097813504","https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-september-14th-2018-kraken-dharma-and-matrix/","https://twitter.com/JakubKroustek/status/1038680437508501504","https://twitter.com/demonslay335/status/1059521042383814657","https://twitter.com/demonslay335/status/1059940414147489792","https://twitter.com/JakubKroustek/status/1060825783197933568","https://twitter.com/JakubKroustek/status/1064061275863425025","https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/","https://www.youtube.com/watch?v=qjoYtwLx2TI","https://twitter.com/GrujaRS/status/1072139616910757888"]},"source":"Various","tag_id":"23","tag_name":"misp-galaxy:ransomware=\"Dharma Ransomware\"","type":"ransomware","uuid":"2b365b2c-4a9a-4b66-804d-3b2d2814fe7b","value":"Dharma Ransomware","version":"86"}],"description":"Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml","icon":"btc","id":"43","name":"Ransomware","namespace":"misp","type":"ransomware","uuid":"3f44af2e-1480-4b6b-9aa8-f9bb21341078","version":"4"}],"Object":[],"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"982f7c55-684d-4eb9-8736-fb5f668b899d"},"Orgc":{"id":"2","local":false,"name":"CIRCL","uuid":"55f6ea5e-2c60-40e5-964f-47a8950d210f"},"RelatedEvent":[],"ShadowAttribute":[],"Tag":[{"colour":"#0088cc","exportable":true,"hide_tag":false,"id":"23","local":0,"name":"misp-galaxy:ransomware=\"Dharma Ransomware\"","numerical_value":null,"user_id":"0"},{"colour":"#004646","exportable":true,"hide_tag":false,"id":"21","local":0,"name":"type:OSINT","numerical_value":null,"user_id":"0"},{"colour":"#ffffff","exportable":true,"hide_tag":false,"id":"2","local":0,"name":"tlp:white","numerical_value":null,"user_id":"0"},{"colour":"#2c4f00","exportable":true,"hide_tag":false,"id":"24","local":0,"name":"malware_classification:malware-category=\"Ransomware\"","numerical_value":null,"user_id":"0"},{"colour":"#00223b","exportable":true,"hide_tag":false,"id":"3","local":0,"name":"osint:source-type=\"blog - post\"","numerical_value":null,"user_id":"0"}],"analysis":"2","attribute_count":"7","date":"2017-08-25","disable_correlation":false,"distribution":"3","extends_uuid":"","id":"5","info":"OSINT - New Arena Crysis Ransomware Variant Released","locked":false,"org_id":"1","orgc_id":"2","proposal_email_lock":false,"publish_timestamp":"1603226331","published":true,"sharing_group_id":"0","threat_level_id":"3","timestamp":"1503930276","uuid":"59a3d08d-5dc8-4153-bc7c-456d950d210f"}} -{"Event":{"Attribute":{"id":"10794","type":"domain|ip","category":"Network activity","to_ids":false,"uuid":"5bf30242-8ef4-4c52-a2d7-0b7b0a016219","event_id":"14","distribution":"5","timestamp":"1542652482","comment":"1st stage","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"your-ip.getmyip.com|89.160.20.156","Galaxy":[],"ShadowAttribute":[]},"EventReport":[],"Galaxy":[{"GalaxyCluster":[{"authors":["https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml","http://pastebin.com/raw/GHgpWjar","MISP Project"],"collection_uuid":"10cf658b-5d32-4c4b-bb32-61760a640372","description":"It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. CrySiS \\u003e Dharma Note: ATTENTION! At the moment, your system is not protected. We can fix it and restore files. To restore the system write to this address: bitcoin143@india.com. CrySiS variant","galaxy_id":"43","id":"6619","local":false,"meta":{"date":["November 2016"],"encryption":["AES + RSA-512"],"extensions":[".dharma",".wallet",".zzzzz",".cmb",".id-BCBEF350.[paymentbtc@firemail.cc].cmb",".bip",".id-BCBEF350.[Beamsell@qq.com].bip",".boost",".[Darknes@420blaze.it].waifu",".brrr",".adobe",".tron",".AUDIT",".cccmn",".fire",".myjob",".[cyberwars@qq.com].war",".risk",".RISK",".bkpx",".[newsantaclaus@aol.com].santa"],"payment-method":["Bitcoin - Email"],"ransomnotes":["all your data has been locked us\\nYou want to return?\\nwrite email paymentbtc@firemail.cc","All your files have been encrypted!\\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail paymentbtc@firemail.cc\\nWrite this ID in the title of your message ACBFF130\\nIn case of no answer in 24 hours write us to theese e-mails:paymentbtc@firemail.cc\\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.\\nFree decryption as guarantee\\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\\nHow to obtain Bitcoins\\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.\\nhttps://localbitcoins.com/buy_bitcoins\\nAlso you can find other places to buy Bitcoins and beginners guide here:\\nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/\\nAttention!\\nDo not rename encrypted files.\\nDo not try to decrypt your data using third party software, it may cause permanent data loss.\\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.","All your files have been encrypted!\\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail Beamsell@qq.com\\nWrite this ID in the title of your message BCBEF350\\nIn case of no answer in 24 hours write us to theese e-mails:Beamsell@qq.com\\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. \\nFree decryption as guarantee\\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) \\nHow to obtain Bitcoins\\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. \\nhttps://localbitcoins.com/buy_bitcoins \\nAlso you can find other places to buy Bitcoins and beginners guide here: \\nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/ \\nAttention!\\nDo not rename encrypted files. \\nDo not try to decrypt your data using third party software, it may cause permanent data loss.\\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.","all your data has been locked us\\nYou want to return?\\nwrite email Beamsell@qq.com"],"ransomnotes-filenames":["README.txt","README.jpg","Info.hta","FILES ENCRYPTED.txt","INFO.hta"],"ransomnotes-refs":["https://www.bleepstatic.com/images/news/ransomware/d/dharma/cmb/hta-ransom-note.jpg","https://pbs.twimg.com/media/Dmof_FiXsAAAvTN.jpg","https://pbs.twimg.com/media/Dmof_FyXsAEJmgQ.jpg","https://pbs.twimg.com/media/DrWqLWzXgAc4SlG.jpg","https://pbs.twimg.com/media/DuEBIMBW0AANnGW.jpg"],"refs":["https://id-ransomware.blogspot.co.il/2016/11/dharma-ransomware.html","https://www.bleepingcomputer.com/news/security/kaspersky-releases-decryptor-for-the-dharma-ransomware/","https://www.bleepingcomputer.com/news/security/new-cmb-dharma-ransomware-variant-released/","https://www.bleepingcomputer.com/news/security/new-bip-dharma-ransomware-variant-released/","https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/","https://twitter.com/demonslay335/status/1049313390097813504","https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-september-14th-2018-kraken-dharma-and-matrix/","https://twitter.com/JakubKroustek/status/1038680437508501504","https://twitter.com/demonslay335/status/1059521042383814657","https://twitter.com/demonslay335/status/1059940414147489792","https://twitter.com/JakubKroustek/status/1060825783197933568","https://twitter.com/JakubKroustek/status/1064061275863425025","https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/","https://www.youtube.com/watch?v=qjoYtwLx2TI","https://twitter.com/GrujaRS/status/1072139616910757888"]},"source":"Various","tag_id":"23","tag_name":"misp-galaxy:ransomware=\"Dharma Ransomware\"","type":"ransomware","uuid":"2b365b2c-4a9a-4b66-804d-3b2d2814fe7b","value":"Dharma Ransomware","version":"86"}],"description":"Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml","icon":"btc","id":"43","name":"Ransomware","namespace":"misp","type":"ransomware","uuid":"3f44af2e-1480-4b6b-9aa8-f9bb21341078","version":"4"}],"Object":[],"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"982f7c55-684d-4eb9-8736-fb5f668b899d"},"Orgc":{"id":"2","local":false,"name":"CIRCL","uuid":"55f6ea5e-2c60-40e5-964f-47a8950d210f"},"RelatedEvent":[],"ShadowAttribute":[],"Tag":[{"colour":"#0088cc","exportable":true,"hide_tag":false,"id":"23","local":0,"name":"misp-galaxy:ransomware=\"Dharma Ransomware\"","numerical_value":null,"user_id":"0"},{"colour":"#004646","exportable":true,"hide_tag":false,"id":"21","local":0,"name":"type:OSINT","numerical_value":null,"user_id":"0"},{"colour":"#ffffff","exportable":true,"hide_tag":false,"id":"2","local":0,"name":"tlp:white","numerical_value":null,"user_id":"0"},{"colour":"#2c4f00","exportable":true,"hide_tag":false,"id":"24","local":0,"name":"malware_classification:malware-category=\"Ransomware\"","numerical_value":null,"user_id":"0"},{"colour":"#00223b","exportable":true,"hide_tag":false,"id":"3","local":0,"name":"osint:source-type=\"blog - post\"","numerical_value":null,"user_id":"0"}],"analysis":"2","attribute_count":"7","date":"2017-08-25","disable_correlation":false,"distribution":"3","extends_uuid":"","id":"5","info":"OSINT - New Arena Crysis Ransomware Variant Released","locked":false,"org_id":"1","orgc_id":"2","proposal_email_lock":false,"publish_timestamp":"1603226331","published":true,"sharing_group_id":"0","threat_level_id":"3","timestamp":"1503930276","uuid":"59a3d08d-5dc8-4153-bc7c-456d950d210f"}} -{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"External analysis","comment":"Carbon sample - Xchecked via VT: a08b8371ead1919500a4759c2f46553620d5a9d9","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"4","first_seen":null,"id":"342","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1490878550","to_ids":false,"type":"link","uuid":"58dd0056-6e74-43d5-b58b-494802de0b81","value":"https://www.virustotal.com/file/7fa4482bfbca550ce296d8e791b1091d60d733ea8042167fd0eb853530584452/analysis/1486030116/"},"EventReport":[],"Galaxy":[{"GalaxyCluster":[{"authors":["Alexandre Dulaunoy","Florian Roth","Timo Steffens","Christophe Vandeplas","Dennis Rand","raw-data"],"collection_uuid":"0d821b68-9d82-4c6d-86a6-1071a9e0f79f","description":"Family of related sophisticated backdoor software - Name comes from Microsoft detection signature – anagram of Ultra (Ultra3) was a name of the fake driver). A macOS version exists but appears incomplete and lacking features...for now!","galaxy_id":"36","id":"5828","local":false,"meta":{"refs":["https://www.first.org/resources/papers/tbilisi2014/turla-operations_and_development.pdf","https://objective-see.com/blog/blog_0x25.html#Snake"],"synonyms":["Snake","Uroburos","Urouros"],"type":["Backdoor","Rootkit"]},"source":"MISP Project","tag_id":"22","tag_name":"misp-galaxy:tool=\"Turla\"","type":"tool","uuid":"22332d52-c0c2-443c-9ffb-f08c0d23722c","value":"Turla","version":"138"}],"description":"Threat actors tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.","icon":"optin-monster","id":"36","name":"Tool","namespace":"misp","type":"tool","uuid":"9b8037f7-bc8f-4de1-a797-37266619bc0b","version":"3"}],"Object":[],"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"982f7c55-684d-4eb9-8736-fb5f668b899d"},"Orgc":{"id":"2","local":false,"name":"CIRCL","uuid":"55f6ea5e-2c60-40e5-964f-47a8950d210f"},"RelatedEvent":[{"Event":{"Org":{"id":"1","name":"ORGNAME","uuid":"982f7c55-684d-4eb9-8736-fb5f668b899d"},"Orgc":{"id":"4","name":"CthulhuSPRL.be","uuid":"55f6ea5f-fd34-43b8-ac1d-40cb950d210f"},"analysis":"2","date":"2015-01-20","distribution":"3","id":"369","info":"OSINT Analysis of Project Cobra Another extensible framework used by the Uroburos’ actors from Gdata","org_id":"1","orgc_id":"4","published":true,"threat_level_id":"1","timestamp":"1498163317","uuid":"54bf5a6f-ac50-4f71-9cd3-7080950d210b"}},{"Event":{"Org":{"id":"1","name":"ORGNAME","uuid":"982f7c55-684d-4eb9-8736-fb5f668b899d"},"Orgc":{"id":"4","name":"CthulhuSPRL.be","uuid":"55f6ea5f-fd34-43b8-ac1d-40cb950d210f"},"analysis":"2","date":"2014-11-20","distribution":"3","id":"621","info":"Turla digging using TotalHash","org_id":"1","orgc_id":"4","published":true,"threat_level_id":"2","timestamp":"1498163604","uuid":"546daad5-425c-4ac4-82c7-e07f950d210b"}}],"ShadowAttribute":[],"Tag":[{"colour":"#065100","exportable":true,"hide_tag":false,"id":"22","local":0,"name":"misp-galaxy:tool=\"Turla\"","numerical_value":null,"user_id":"0"},{"colour":"#ffffff","exportable":true,"hide_tag":false,"id":"2","local":0,"name":"tlp:white","numerical_value":null,"user_id":"0"}],"analysis":"2","attribute_count":"100","date":"2017-03-30","disable_correlation":false,"distribution":"3","extends_uuid":"","id":"4","info":"OSINT - Carbon Paper: Peering into Turla’s second stage backdoor","locked":false,"org_id":"1","orgc_id":"2","proposal_email_lock":false,"publish_timestamp":"1603226330","published":true,"sharing_group_id":"0","threat_level_id":"3","timestamp":"1493403824","uuid":"58dcfe62-ed84-4e5e-b293-4991950d210f"}} -{"Event":{"id":"2","orgc_id":"2","org_id":"1","date":"2014-10-03","threat_level_id":"2","info":"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks","published":true,"uuid":"54323f2c-e50c-4268-896c-4867950d210b","attribute_count":"29","analysis":"2","timestamp":"1412579577","distribution":"3","proposal_email_lock":false,"locked":false,"publish_timestamp":"1610622316","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5","local":true},"Orgc":{"id":"2","name":"CthulhuSPRL.be","uuid":"55f6ea5f-fd34-43b8-ac1d-40cb950d210f","local":false},"Attribute":{"id":"1077","type":"sha256","category":"External analysis","to_ids":true,"uuid":"54324042-49fc-4628-a95e-44da950d210b","event_id":"2","distribution":"5","timestamp":"1412579394","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"0a1103bc90725d4665b932f88e81d39eafa5823b0de3ab146e2d4548b7da79a0","Galaxy":[],"ShadowAttribute":[]},"ShadowAttribute":[],"RelatedEvent":[],"Galaxy":[],"Object":[],"EventReport":[],"Tag":[{"id":"1","name":"type:OSINT","colour":"#004646","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0},{"id":"2","name":"tlp:green","colour":"#339900","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0}]}} -{"Event":{"id":"2","orgc_id":"2","org_id":"1","date":"2014-10-03","threat_level_id":"2","info":"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks","published":true,"uuid":"54323f2c-e50c-4268-896c-4867950d210b","attribute_count":"29","analysis":"2","timestamp":"1412579577","distribution":"3","proposal_email_lock":false,"locked":false,"publish_timestamp":"1610622316","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5","local":true},"Orgc":{"id":"2","name":"CthulhuSPRL.be","uuid":"55f6ea5f-fd34-43b8-ac1d-40cb950d210f","local":false},"Attribute":{"id":"1084","type":"ip-dst","category":"Network activity","to_ids":true,"uuid":"54324081-3308-4f1f-8674-4953950d210b","event_id":"2","distribution":"5","timestamp":"1412579457","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"89.160.20.156","Galaxy":[],"ShadowAttribute":[]},"ShadowAttribute":[],"RelatedEvent":[],"Galaxy":[],"Object":[],"EventReport":[],"Tag":[{"id":"1","name":"type:OSINT","colour":"#004646","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0},{"id":"2","name":"tlp:green","colour":"#339900","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0}]}} -{"Event":{"id":"2","orgc_id":"2","org_id":"1","date":"2014-10-03","threat_level_id":"2","info":"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks","published":true,"uuid":"54323f2c-e50c-4268-896c-4867950d210b","attribute_count":"29","analysis":"2","timestamp":"1412579577","distribution":"3","proposal_email_lock":false,"locked":false,"publish_timestamp":"1610622316","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5","local":true},"Orgc":{"id":"2","name":"CthulhuSPRL.be","uuid":"55f6ea5f-fd34-43b8-ac1d-40cb950d210f","local":false},"Attribute":{"id":"1086","type":"hostname","category":"Network activity","to_ids":true,"uuid":"543240dc-f068-437a-baa9-48f2950d210b","event_id":"2","distribution":"5","timestamp":"1412579548","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"xenserver.ddns.net","Galaxy":[],"ShadowAttribute":[]},"ShadowAttribute":[],"RelatedEvent":[],"Galaxy":[],"Object":[],"EventReport":[],"Tag":[{"id":"1","name":"type:OSINT","colour":"#004646","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0},{"id":"2","name":"tlp:green","colour":"#339900","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0}]}} -{"Event":{"id":"2","orgc_id":"2","org_id":"1","date":"2014-10-03","threat_level_id":"2","info":"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks","published":true,"uuid":"54323f2c-e50c-4268-896c-4867950d210b","attribute_count":"29","analysis":"2","timestamp":"1412579577","distribution":"3","proposal_email_lock":false,"locked":false,"publish_timestamp":"1610622316","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5","local":true},"Orgc":{"id":"2","name":"CthulhuSPRL.be","uuid":"55f6ea5f-fd34-43b8-ac1d-40cb950d210f","local":false},"Attribute":{"id":"1089","type":"text","category":"External analysis","to_ids":false,"uuid":"543240f9-64e8-41f2-958f-4e21950d210b","event_id":"2","distribution":"5","timestamp":"1412579577","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"Nitro","Galaxy":[],"ShadowAttribute":[]},"ShadowAttribute":[],"RelatedEvent":[],"Galaxy":[],"Object":[],"EventReport":[],"Tag":[{"id":"1","name":"type:OSINT","colour":"#004646","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0},{"id":"2","name":"tlp:green","colour":"#339900","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0}]}} -{"Event":{"id":"2","orgc_id":"2","org_id":"1","date":"2014-10-03","threat_level_id":"2","info":"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks","published":true,"uuid":"54323f2c-e50c-4268-896c-4867950d210b","attribute_count":"29","analysis":"2","timestamp":"1412579577","distribution":"3","proposal_email_lock":false,"locked":false,"publish_timestamp":"1610622316","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5","local":true},"Orgc":{"id":"2","name":"CthulhuSPRL.be","uuid":"55f6ea5f-fd34-43b8-ac1d-40cb950d210f","local":false},"Attribute":{"id":"1090","type":"sha1","category":"External analysis","to_ids":true,"uuid":"56c625a7-f31c-460c-9ea1-c652950d210f","event_id":"2","distribution":"5","timestamp":"1455826343","comment":"Automatically added (via 7915aabb2e66ff14841e4ef0fbff7486)","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"0ea76f1586c008932d90c991dfdd5042f3aac8ea","Galaxy":[],"ShadowAttribute":[]},"ShadowAttribute":[],"RelatedEvent":[],"Galaxy":[],"Object":[],"EventReport":[],"Tag":[{"id":"1","name":"type:OSINT","colour":"#004646","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0},{"id":"2","name":"tlp:green","colour":"#339900","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0}]}} -{"Event":{"id":"2","orgc_id":"2","org_id":"1","date":"2014-10-03","threat_level_id":"2","info":"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks","published":true,"uuid":"54323f2c-e50c-4268-896c-4867950d210b","attribute_count":"29","analysis":"2","timestamp":"1412579577","distribution":"3","proposal_email_lock":false,"locked":false,"publish_timestamp":"1610622316","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5","local":true},"Orgc":{"id":"2","name":"CthulhuSPRL.be","uuid":"55f6ea5f-fd34-43b8-ac1d-40cb950d210f","local":false},"Attribute":{"id":"12394","type":"domain","category":"Network activity","to_ids":false,"uuid":"572b4ab3-1af0-4d91-9cd5-07a1c0a8ab16","event_id":"22","distribution":"5","timestamp":"1462454963","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"whatsapp.com","Galaxy":[],"ShadowAttribute":[]},"ShadowAttribute":[],"RelatedEvent":[],"Galaxy":[],"Object":[],"EventReport":[],"Tag":[{"id":"1","name":"type:OSINT","colour":"#004646","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0},{"id":"2","name":"tlp:green","colour":"#339900","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0}]}} -{"Event":{"id":"158","orgc_id":"5","org_id":"1","date":"2018-01-08","threat_level_id":"1","info":"Turla: Mosquito Whitepaper","published":true,"uuid":"5a5395d1-40a0-45fc-b692-334a0a016219","attribute_count":"61","analysis":"0","timestamp":"1535462417","distribution":"3","proposal_email_lock":false,"locked":false,"publish_timestamp":"1610637953","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5","local":true},"Orgc":{"id":"5","name":"ESET","uuid":"55f6ea5e-51ac-4344-bc8c-4170950d210f","local":false},"Attribute":{"id":"17299","type":"url","category":"Network activity","to_ids":false,"uuid":"5a53976c-e7c8-480d-a68a-2fc50a016219","event_id":"158","distribution":"5","timestamp":"1515427692","comment":"Fake adobe URL","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"http://get.adobe.com/stats/AbfFcBebD/?q=","Galaxy":[],"ShadowAttribute":[]},"ShadowAttribute":[],"RelatedEvent":[{"Event":{"id":"58","date":"2018-08-17","threat_level_id":"1","info":"Turla Outlook White Paper","published":true,"uuid":"5b773e07-e694-458b-b99c-27f30a016219","analysis":"0","timestamp":"1535462383","distribution":"3","org_id":"1","orgc_id":"5","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5"},"Orgc":{"id":"5","name":"ESET","uuid":"55f6ea5e-51ac-4344-bc8c-4170950d210f"}}}],"Galaxy":[],"Object":[],"EventReport":[],"Tag":[{"id":"7","name":"misp-galaxy:threat-actor=\"Turla Group\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":true,"is_custom_galaxy":false,"local":0},{"id":"70","name":"Turla","colour":"#f20f53","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0},{"id":"3","name":"tlp:white","colour":"#ffffff","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0}]}} -{"Event":{"id":"158","orgc_id":"5","org_id":"1","date":"2018-01-08","threat_level_id":"1","info":"Turla: Mosquito Whitepaper","published":true,"uuid":"5a5395d1-40a0-45fc-b692-334a0a016219","attribute_count":"61","analysis":"0","timestamp":"1535462417","distribution":"3","proposal_email_lock":false,"locked":false,"publish_timestamp":"1610637953","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5","local":true},"Orgc":{"id":"5","name":"ESET","uuid":"55f6ea5e-51ac-4344-bc8c-4170950d210f","local":false},"Attribute":{"id":"17330","type":"uri","category":"Network activity","to_ids":false,"uuid":"5a539ce1-3de0-4e34-8fc4-2fc50a016219","event_id":"158","distribution":"5","timestamp":"1515429089","comment":"Win32 backdoor C&C URI","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"/scripts/m/query.php?id=","Galaxy":[],"ShadowAttribute":[]},"ShadowAttribute":[],"RelatedEvent":[{"Event":{"id":"58","date":"2018-08-17","threat_level_id":"1","info":"Turla Outlook White Paper","published":true,"uuid":"5b773e07-e694-458b-b99c-27f30a016219","analysis":"0","timestamp":"1535462383","distribution":"3","org_id":"1","orgc_id":"5","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5"},"Orgc":{"id":"5","name":"ESET","uuid":"55f6ea5e-51ac-4344-bc8c-4170950d210f"}}}],"Galaxy":[],"Object":[],"EventReport":[],"Tag":[{"id":"7","name":"misp-galaxy:threat-actor=\"Turla Group\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":true,"is_custom_galaxy":false,"local":0},{"id":"70","name":"Turla","colour":"#f20f53","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0},{"id":"3","name":"tlp:white","colour":"#ffffff","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0}]}} -{"Event":{"id":"158","orgc_id":"5","org_id":"1","date":"2018-01-08","threat_level_id":"1","info":"Turla: Mosquito Whitepaper","published":true,"uuid":"5a5395d1-40a0-45fc-b692-334a0a016219","attribute_count":"61","analysis":"0","timestamp":"1535462417","distribution":"3","proposal_email_lock":false,"locked":false,"publish_timestamp":"1610637953","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5","local":true},"Orgc":{"id":"5","name":"ESET","uuid":"55f6ea5e-51ac-4344-bc8c-4170950d210f","local":false},"Attribute":{"id":"17322","type":"filename|sha1","category":"Artifacts dropped","to_ids":false,"uuid":"5a539ce1-e6a0-426a-942c-2fc50a016219","event_id":"158","distribution":"5","timestamp":"1515429089","comment":"JavaScript backdoor","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"google_update_checker.js|c51d288469df9f25e2fb7ac491918b3e579282ea","Galaxy":[],"ShadowAttribute":[]},"ShadowAttribute":[],"RelatedEvent":[{"Event":{"id":"58","date":"2018-08-17","threat_level_id":"1","info":"Turla Outlook White Paper","published":true,"uuid":"5b773e07-e694-458b-b99c-27f30a016219","analysis":"0","timestamp":"1535462383","distribution":"3","org_id":"1","orgc_id":"5","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5"},"Orgc":{"id":"5","name":"ESET","uuid":"55f6ea5e-51ac-4344-bc8c-4170950d210f"}}}],"Galaxy":[],"Object":[],"EventReport":[],"Tag":[{"id":"7","name":"misp-galaxy:threat-actor=\"Turla Group\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":true,"is_custom_galaxy":false,"local":0},{"id":"70","name":"Turla","colour":"#f20f53","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0},{"id":"3","name":"tlp:white","colour":"#ffffff","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0}]}} -{"Event":{"id":"22","orgc_id":"4","org_id":"1","date":"2015-12-08","threat_level_id":"3","info":"Packrat: Seven Years of a South American Threat Actor","published":true,"uuid":"56ccdcaf-f7e4-40d8-bca1-51299062e56a","attribute_count":"133","analysis":"2","timestamp":"1516723796","distribution":"3","proposal_email_lock":false,"locked":false,"publish_timestamp":"1610637901","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5","local":true},"Orgc":{"id":"4","name":"CUDESO","uuid":"56c42374-fdb8-4544-a218-41ffc0a8ab16","local":false},"Attribute":{"id":"12268","type":"email-src","category":"Payload delivery","to_ids":true,"uuid":"56ccdcb6-4d6c-4e48-b955-52849062e56a","event_id":"22","distribution":"5","timestamp":"1456266422","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"claudiobonadio88@gmail.com","Galaxy":[],"ShadowAttribute":[]},"ShadowAttribute":[],"RelatedEvent":[],"Galaxy":[],"Object":[],"EventReport":[],"Tag":[{"id":"3","name":"tlp:white","colour":"#ffffff","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0}]}} -{"Event":{"id":"22","orgc_id":"4","org_id":"1","date":"2015-12-08","threat_level_id":"3","info":"Packrat: Seven Years of a South American Threat Actor","published":true,"uuid":"56ccdcaf-f7e4-40d8-bca1-51299062e56a","attribute_count":"133","analysis":"2","timestamp":"1516723796","distribution":"3","proposal_email_lock":false,"locked":false,"publish_timestamp":"1610637901","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5","local":true},"Orgc":{"id":"4","name":"CUDESO","uuid":"56c42374-fdb8-4544-a218-41ffc0a8ab16","local":false},"Attribute":{"id":"12298","type":"regkey","category":"Artifacts dropped","to_ids":true,"uuid":"56ccdcd6-f4b8-4383-9624-52849062e56a","event_id":"22","distribution":"5","timestamp":"1456266454","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"HKLM\\SOFTWARE\\Microsoft\\Active","Galaxy":[],"ShadowAttribute":[]},"ShadowAttribute":[],"RelatedEvent":[],"Galaxy":[],"Object":[],"EventReport":[],"Tag":[{"id":"3","name":"tlp:white","colour":"#ffffff","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0}]}} -{"Event":{"id":"10","orgc_id":"4","org_id":"1","date":"2020-12-09","threat_level_id":"3","info":"Recent Qakbot (Qbot) activity","published":true,"uuid":"5fd0c599-ab6c-4ba1-a69a-df9ec0a8ab16","attribute_count":"15","analysis":"2","timestamp":"1607868196","distribution":"3","proposal_email_lock":false,"locked":false,"publish_timestamp":"1610637888","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5","local":true},"Orgc":{"id":"4","name":"CUDESO","uuid":"56c42374-fdb8-4544-a218-41ffc0a8ab16","local":false},"Attribute":{"id":"10686","type":"ip-dst|port","category":"Network activity","to_ids":true,"uuid":"5fd0c620-a844-4ace-9710-a37bc0a8ab16","event_id":"10","distribution":"5","timestamp":"1607517728","comment":"On port 2222","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"89.160.20.156|2222","Galaxy":[],"ShadowAttribute":[]},"ShadowAttribute":[],"RelatedEvent":[],"Galaxy":[],"Object":[],"EventReport":[],"Tag":[{"id":"3","name":"tlp:white","colour":"#ffffff","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0},{"id":"6","name":"misp-galaxy:banker=\"Qakbot\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":true,"is_custom_galaxy":false,"local":0}]}} -{"response":[]} diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-sample-ndjson.log-config.yml b/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-sample-ndjson.log-config.yml deleted file mode 100644 index 4da2264165..0000000000 --- a/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-sample-ndjson.log-config.yml +++ /dev/null @@ -1,3 +0,0 @@ -fields: - tags: - - preserve_original_event diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-sample-ndjson.log-expected.json b/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-sample-ndjson.log-expected.json deleted file mode 100644 index 27fee944db..0000000000 --- a/test/packages/with-logstash/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-sample-ndjson.log-expected.json +++ /dev/null @@ -1,1222 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2017-08-28T14:24:36.000Z", - "ecs": { - "version": "8.9.0" - }, - "event": { - "category": [ - "threat" - ], - "kind": "enrichment", - "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Payload delivery\",\"comment\":\"- Xchecked via VT: a683494fc0d017fd3b4638f8b84caaaac145cc28bc211bd7361723368b4bb21e\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"5\",\"first_seen\":null,\"id\":\"351\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1503930272\",\"to_ids\":true,\"type\":\"md5\",\"uuid\":\"59a427a0-f6f8-4178-9e7d-dfd702de0b81\",\"value\":\"f2679bdabe46e10edc6352fff3c829bc\"},\"EventReport\":[],\"Galaxy\":[{\"GalaxyCluster\":[{\"authors\":[\"https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml\",\"http://pastebin.com/raw/GHgpWjar\",\"MISP Project\"],\"collection_uuid\":\"10cf658b-5d32-4c4b-bb32-61760a640372\",\"description\":\"It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. CrySiS \\\\u003e Dharma Note: ATTENTION! At the moment, your system is not protected. We can fix it and restore files. To restore the system write to this address: bitcoin143@india.com. CrySiS variant\",\"galaxy_id\":\"43\",\"id\":\"6619\",\"local\":false,\"meta\":{\"date\":[\"November 2016\"],\"encryption\":[\"AES + RSA-512\"],\"extensions\":[\".dharma\",\".wallet\",\".zzzzz\",\".cmb\",\".id-BCBEF350.[paymentbtc@firemail.cc].cmb\",\".bip\",\".id-BCBEF350.[Beamsell@qq.com].bip\",\".boost\",\".[Darknes@420blaze.it].waifu\",\".brrr\",\".adobe\",\".tron\",\".AUDIT\",\".cccmn\",\".fire\",\".myjob\",\".[cyberwars@qq.com].war\",\".risk\",\".RISK\",\".bkpx\",\".[newsantaclaus@aol.com].santa\"],\"payment-method\":[\"Bitcoin - Email\"],\"ransomnotes\":[\"all your data has been locked us\\\\nYou want to return?\\\\nwrite email paymentbtc@firemail.cc\",\"All your files have been encrypted!\\\\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail paymentbtc@firemail.cc\\\\nWrite this ID in the title of your message ACBFF130\\\\nIn case of no answer in 24 hours write us to theese e-mails:paymentbtc@firemail.cc\\\\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.\\\\nFree decryption as guarantee\\\\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\\\\nHow to obtain Bitcoins\\\\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.\\\\nhttps://localbitcoins.com/buy_bitcoins\\\\nAlso you can find other places to buy Bitcoins and beginners guide here:\\\\nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/\\\\nAttention!\\\\nDo not rename encrypted files.\\\\nDo not try to decrypt your data using third party software, it may cause permanent data loss.\\\\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.\",\"All your files have been encrypted!\\\\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail Beamsell@qq.com\\\\nWrite this ID in the title of your message BCBEF350\\\\nIn case of no answer in 24 hours write us to theese e-mails:Beamsell@qq.com\\\\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. \\\\nFree decryption as guarantee\\\\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) \\\\nHow to obtain Bitcoins\\\\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. \\\\nhttps://localbitcoins.com/buy_bitcoins \\\\nAlso you can find other places to buy Bitcoins and beginners guide here: \\\\nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/ \\\\nAttention!\\\\nDo not rename encrypted files. \\\\nDo not try to decrypt your data using third party software, it may cause permanent data loss.\\\\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.\",\"all your data has been locked us\\\\nYou want to return?\\\\nwrite email Beamsell@qq.com\"],\"ransomnotes-filenames\":[\"README.txt\",\"README.jpg\",\"Info.hta\",\"FILES ENCRYPTED.txt\",\"INFO.hta\"],\"ransomnotes-refs\":[\"https://www.bleepstatic.com/images/news/ransomware/d/dharma/cmb/hta-ransom-note.jpg\",\"https://pbs.twimg.com/media/Dmof_FiXsAAAvTN.jpg\",\"https://pbs.twimg.com/media/Dmof_FyXsAEJmgQ.jpg\",\"https://pbs.twimg.com/media/DrWqLWzXgAc4SlG.jpg\",\"https://pbs.twimg.com/media/DuEBIMBW0AANnGW.jpg\"],\"refs\":[\"https://id-ransomware.blogspot.co.il/2016/11/dharma-ransomware.html\",\"https://www.bleepingcomputer.com/news/security/kaspersky-releases-decryptor-for-the-dharma-ransomware/\",\"https://www.bleepingcomputer.com/news/security/new-cmb-dharma-ransomware-variant-released/\",\"https://www.bleepingcomputer.com/news/security/new-bip-dharma-ransomware-variant-released/\",\"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/\",\"https://twitter.com/demonslay335/status/1049313390097813504\",\"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-september-14th-2018-kraken-dharma-and-matrix/\",\"https://twitter.com/JakubKroustek/status/1038680437508501504\",\"https://twitter.com/demonslay335/status/1059521042383814657\",\"https://twitter.com/demonslay335/status/1059940414147489792\",\"https://twitter.com/JakubKroustek/status/1060825783197933568\",\"https://twitter.com/JakubKroustek/status/1064061275863425025\",\"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/\",\"https://www.youtube.com/watch?v=qjoYtwLx2TI\",\"https://twitter.com/GrujaRS/status/1072139616910757888\"]},\"source\":\"Various\",\"tag_id\":\"23\",\"tag_name\":\"misp-galaxy:ransomware=\\\"Dharma Ransomware\\\"\",\"type\":\"ransomware\",\"uuid\":\"2b365b2c-4a9a-4b66-804d-3b2d2814fe7b\",\"value\":\"Dharma Ransomware\",\"version\":\"86\"}],\"description\":\"Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml\",\"icon\":\"btc\",\"id\":\"43\",\"name\":\"Ransomware\",\"namespace\":\"misp\",\"type\":\"ransomware\",\"uuid\":\"3f44af2e-1480-4b6b-9aa8-f9bb21341078\",\"version\":\"4\"}],\"Object\":[],\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"982f7c55-684d-4eb9-8736-fb5f668b899d\"},\"Orgc\":{\"id\":\"2\",\"local\":false,\"name\":\"CIRCL\",\"uuid\":\"55f6ea5e-2c60-40e5-964f-47a8950d210f\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"Tag\":[{\"colour\":\"#0088cc\",\"exportable\":true,\"hide_tag\":false,\"id\":\"23\",\"local\":0,\"name\":\"misp-galaxy:ransomware=\\\"Dharma Ransomware\\\"\",\"numerical_value\":null,\"user_id\":\"0\"},{\"colour\":\"#004646\",\"exportable\":true,\"hide_tag\":false,\"id\":\"21\",\"local\":0,\"name\":\"type:OSINT\",\"numerical_value\":null,\"user_id\":\"0\"},{\"colour\":\"#ffffff\",\"exportable\":true,\"hide_tag\":false,\"id\":\"2\",\"local\":0,\"name\":\"tlp:white\",\"numerical_value\":null,\"user_id\":\"0\"},{\"colour\":\"#2c4f00\",\"exportable\":true,\"hide_tag\":false,\"id\":\"24\",\"local\":0,\"name\":\"malware_classification:malware-category=\\\"Ransomware\\\"\",\"numerical_value\":null,\"user_id\":\"0\"},{\"colour\":\"#00223b\",\"exportable\":true,\"hide_tag\":false,\"id\":\"3\",\"local\":0,\"name\":\"osint:source-type=\\\"blog - post\\\"\",\"numerical_value\":null,\"user_id\":\"0\"}],\"analysis\":\"2\",\"attribute_count\":\"7\",\"date\":\"2017-08-25\",\"disable_correlation\":false,\"distribution\":\"3\",\"extends_uuid\":\"\",\"id\":\"5\",\"info\":\"OSINT - New Arena Crysis Ransomware Variant Released\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"2\",\"proposal_email_lock\":false,\"publish_timestamp\":\"1603226331\",\"published\":true,\"sharing_group_id\":\"0\",\"threat_level_id\":\"3\",\"timestamp\":\"1503930276\",\"uuid\":\"59a3d08d-5dc8-4153-bc7c-456d950d210f\"}}", - "type": [ - "indicator" - ] - }, - "misp": { - "attribute": { - "category": "Payload delivery", - "comment": "- Xchecked via VT: a683494fc0d017fd3b4638f8b84caaaac145cc28bc211bd7361723368b4bb21e", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "5", - "id": "351", - "object_id": "0", - "sharing_group_id": "0", - "timestamp": "2017-08-28T14:24:32.000Z", - "to_ids": true, - "type": "md5", - "uuid": "59a427a0-f6f8-4178-9e7d-dfd702de0b81" - }, - "event": { - "attribute_count": 7, - "date": "2017-08-25", - "disable_correlation": false, - "distribution": 3, - "extends_uuid": "", - "id": "5", - "info": "OSINT - New Arena Crysis Ransomware Variant Released", - "locked": false, - "org_id": "1", - "orgc_id": "2", - "proposal_email_lock": false, - "publish_timestamp": "2020-10-20T20:38:51.000Z", - "published": true, - "sharing_group_id": "0", - "threat_level_id": 3, - "uuid": "59a3d08d-5dc8-4153-bc7c-456d950d210f" - }, - "orgc": { - "id": "2", - "local": false, - "name": "CIRCL", - "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" - } - }, - "tags": [ - "preserve_original_event", - "misp-galaxy:ransomware=Dharma Ransomware", - "type:OSINT", - "tlp:white", - "malware_classification:malware-category=Ransomware", - "osint:source-type=blog - post" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "file": { - "hash": { - "md5": "f2679bdabe46e10edc6352fff3c829bc" - } - }, - "marking": { - "tlp": [ - "WHITE" - ] - }, - "provider": "misp", - "scanner_stats": 2, - "type": "file" - } - } - }, - { - "@timestamp": "2017-08-28T14:24:36.000Z", - "ecs": { - "version": "8.9.0" - }, - "event": { - "category": [ - "threat" - ], - "kind": "enrichment", - "original": "{\"Event\":{\"Attribute\":{\"id\":\"10794\",\"type\":\"domain|ip\",\"category\":\"Network activity\",\"to_ids\":false,\"uuid\":\"5bf30242-8ef4-4c52-a2d7-0b7b0a016219\",\"event_id\":\"14\",\"distribution\":\"5\",\"timestamp\":\"1542652482\",\"comment\":\"1st stage\",\"sharing_group_id\":\"0\",\"deleted\":false,\"disable_correlation\":false,\"object_id\":\"0\",\"object_relation\":null,\"first_seen\":null,\"last_seen\":null,\"value\":\"your-ip.getmyip.com|89.160.20.156\",\"Galaxy\":[],\"ShadowAttribute\":[]},\"EventReport\":[],\"Galaxy\":[{\"GalaxyCluster\":[{\"authors\":[\"https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml\",\"http://pastebin.com/raw/GHgpWjar\",\"MISP Project\"],\"collection_uuid\":\"10cf658b-5d32-4c4b-bb32-61760a640372\",\"description\":\"It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. CrySiS \\\\u003e Dharma Note: ATTENTION! At the moment, your system is not protected. We can fix it and restore files. To restore the system write to this address: bitcoin143@india.com. CrySiS variant\",\"galaxy_id\":\"43\",\"id\":\"6619\",\"local\":false,\"meta\":{\"date\":[\"November 2016\"],\"encryption\":[\"AES + RSA-512\"],\"extensions\":[\".dharma\",\".wallet\",\".zzzzz\",\".cmb\",\".id-BCBEF350.[paymentbtc@firemail.cc].cmb\",\".bip\",\".id-BCBEF350.[Beamsell@qq.com].bip\",\".boost\",\".[Darknes@420blaze.it].waifu\",\".brrr\",\".adobe\",\".tron\",\".AUDIT\",\".cccmn\",\".fire\",\".myjob\",\".[cyberwars@qq.com].war\",\".risk\",\".RISK\",\".bkpx\",\".[newsantaclaus@aol.com].santa\"],\"payment-method\":[\"Bitcoin - Email\"],\"ransomnotes\":[\"all your data has been locked us\\\\nYou want to return?\\\\nwrite email paymentbtc@firemail.cc\",\"All your files have been encrypted!\\\\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail paymentbtc@firemail.cc\\\\nWrite this ID in the title of your message ACBFF130\\\\nIn case of no answer in 24 hours write us to theese e-mails:paymentbtc@firemail.cc\\\\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.\\\\nFree decryption as guarantee\\\\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\\\\nHow to obtain Bitcoins\\\\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.\\\\nhttps://localbitcoins.com/buy_bitcoins\\\\nAlso you can find other places to buy Bitcoins and beginners guide here:\\\\nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/\\\\nAttention!\\\\nDo not rename encrypted files.\\\\nDo not try to decrypt your data using third party software, it may cause permanent data loss.\\\\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.\",\"All your files have been encrypted!\\\\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail Beamsell@qq.com\\\\nWrite this ID in the title of your message BCBEF350\\\\nIn case of no answer in 24 hours write us to theese e-mails:Beamsell@qq.com\\\\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. \\\\nFree decryption as guarantee\\\\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) \\\\nHow to obtain Bitcoins\\\\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. \\\\nhttps://localbitcoins.com/buy_bitcoins \\\\nAlso you can find other places to buy Bitcoins and beginners guide here: \\\\nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/ \\\\nAttention!\\\\nDo not rename encrypted files. \\\\nDo not try to decrypt your data using third party software, it may cause permanent data loss.\\\\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.\",\"all your data has been locked us\\\\nYou want to return?\\\\nwrite email Beamsell@qq.com\"],\"ransomnotes-filenames\":[\"README.txt\",\"README.jpg\",\"Info.hta\",\"FILES ENCRYPTED.txt\",\"INFO.hta\"],\"ransomnotes-refs\":[\"https://www.bleepstatic.com/images/news/ransomware/d/dharma/cmb/hta-ransom-note.jpg\",\"https://pbs.twimg.com/media/Dmof_FiXsAAAvTN.jpg\",\"https://pbs.twimg.com/media/Dmof_FyXsAEJmgQ.jpg\",\"https://pbs.twimg.com/media/DrWqLWzXgAc4SlG.jpg\",\"https://pbs.twimg.com/media/DuEBIMBW0AANnGW.jpg\"],\"refs\":[\"https://id-ransomware.blogspot.co.il/2016/11/dharma-ransomware.html\",\"https://www.bleepingcomputer.com/news/security/kaspersky-releases-decryptor-for-the-dharma-ransomware/\",\"https://www.bleepingcomputer.com/news/security/new-cmb-dharma-ransomware-variant-released/\",\"https://www.bleepingcomputer.com/news/security/new-bip-dharma-ransomware-variant-released/\",\"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/\",\"https://twitter.com/demonslay335/status/1049313390097813504\",\"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-september-14th-2018-kraken-dharma-and-matrix/\",\"https://twitter.com/JakubKroustek/status/1038680437508501504\",\"https://twitter.com/demonslay335/status/1059521042383814657\",\"https://twitter.com/demonslay335/status/1059940414147489792\",\"https://twitter.com/JakubKroustek/status/1060825783197933568\",\"https://twitter.com/JakubKroustek/status/1064061275863425025\",\"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/\",\"https://www.youtube.com/watch?v=qjoYtwLx2TI\",\"https://twitter.com/GrujaRS/status/1072139616910757888\"]},\"source\":\"Various\",\"tag_id\":\"23\",\"tag_name\":\"misp-galaxy:ransomware=\\\"Dharma Ransomware\\\"\",\"type\":\"ransomware\",\"uuid\":\"2b365b2c-4a9a-4b66-804d-3b2d2814fe7b\",\"value\":\"Dharma Ransomware\",\"version\":\"86\"}],\"description\":\"Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml\",\"icon\":\"btc\",\"id\":\"43\",\"name\":\"Ransomware\",\"namespace\":\"misp\",\"type\":\"ransomware\",\"uuid\":\"3f44af2e-1480-4b6b-9aa8-f9bb21341078\",\"version\":\"4\"}],\"Object\":[],\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"982f7c55-684d-4eb9-8736-fb5f668b899d\"},\"Orgc\":{\"id\":\"2\",\"local\":false,\"name\":\"CIRCL\",\"uuid\":\"55f6ea5e-2c60-40e5-964f-47a8950d210f\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"Tag\":[{\"colour\":\"#0088cc\",\"exportable\":true,\"hide_tag\":false,\"id\":\"23\",\"local\":0,\"name\":\"misp-galaxy:ransomware=\\\"Dharma Ransomware\\\"\",\"numerical_value\":null,\"user_id\":\"0\"},{\"colour\":\"#004646\",\"exportable\":true,\"hide_tag\":false,\"id\":\"21\",\"local\":0,\"name\":\"type:OSINT\",\"numerical_value\":null,\"user_id\":\"0\"},{\"colour\":\"#ffffff\",\"exportable\":true,\"hide_tag\":false,\"id\":\"2\",\"local\":0,\"name\":\"tlp:white\",\"numerical_value\":null,\"user_id\":\"0\"},{\"colour\":\"#2c4f00\",\"exportable\":true,\"hide_tag\":false,\"id\":\"24\",\"local\":0,\"name\":\"malware_classification:malware-category=\\\"Ransomware\\\"\",\"numerical_value\":null,\"user_id\":\"0\"},{\"colour\":\"#00223b\",\"exportable\":true,\"hide_tag\":false,\"id\":\"3\",\"local\":0,\"name\":\"osint:source-type=\\\"blog - post\\\"\",\"numerical_value\":null,\"user_id\":\"0\"}],\"analysis\":\"2\",\"attribute_count\":\"7\",\"date\":\"2017-08-25\",\"disable_correlation\":false,\"distribution\":\"3\",\"extends_uuid\":\"\",\"id\":\"5\",\"info\":\"OSINT - New Arena Crysis Ransomware Variant Released\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"2\",\"proposal_email_lock\":false,\"publish_timestamp\":\"1603226331\",\"published\":true,\"sharing_group_id\":\"0\",\"threat_level_id\":\"3\",\"timestamp\":\"1503930276\",\"uuid\":\"59a3d08d-5dc8-4153-bc7c-456d950d210f\"}}", - "type": [ - "indicator" - ] - }, - "misp": { - "attribute": { - "category": "Network activity", - "comment": "1st stage", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "14", - "id": "10794", - "object_id": "0", - "sharing_group_id": "0", - "timestamp": "2018-11-19T18:34:42.000Z", - "to_ids": false, - "type": "domain|ip", - "uuid": "5bf30242-8ef4-4c52-a2d7-0b7b0a016219" - }, - "event": { - "attribute_count": 7, - "date": "2017-08-25", - "disable_correlation": false, - "distribution": 3, - "extends_uuid": "", - "id": "5", - "info": "OSINT - New Arena Crysis Ransomware Variant Released", - "locked": false, - "org_id": "1", - "orgc_id": "2", - "proposal_email_lock": false, - "publish_timestamp": "2020-10-20T20:38:51.000Z", - "published": true, - "sharing_group_id": "0", - "threat_level_id": 3, - "uuid": "59a3d08d-5dc8-4153-bc7c-456d950d210f" - }, - "orgc": { - "id": "2", - "local": false, - "name": "CIRCL", - "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" - } - }, - "tags": [ - "preserve_original_event", - "misp-galaxy:ransomware=Dharma Ransomware", - "type:OSINT", - "tlp:white", - "malware_classification:malware-category=Ransomware", - "osint:source-type=blog - post" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "ip": "89.160.20.156", - "marking": { - "tlp": [ - "WHITE" - ] - }, - "provider": "misp", - "scanner_stats": 2, - "type": "domain-name", - "url": { - "domain": "your-ip.getmyip.com" - } - } - } - }, - { - "@timestamp": "2017-04-28T18:23:44.000Z", - "ecs": { - "version": "8.9.0" - }, - "event": { - "category": [ - "threat" - ], - "kind": "enrichment", - "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"External analysis\",\"comment\":\"Carbon sample - Xchecked via VT: a08b8371ead1919500a4759c2f46553620d5a9d9\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"4\",\"first_seen\":null,\"id\":\"342\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1490878550\",\"to_ids\":false,\"type\":\"link\",\"uuid\":\"58dd0056-6e74-43d5-b58b-494802de0b81\",\"value\":\"https://www.virustotal.com/file/7fa4482bfbca550ce296d8e791b1091d60d733ea8042167fd0eb853530584452/analysis/1486030116/\"},\"EventReport\":[],\"Galaxy\":[{\"GalaxyCluster\":[{\"authors\":[\"Alexandre Dulaunoy\",\"Florian Roth\",\"Timo Steffens\",\"Christophe Vandeplas\",\"Dennis Rand\",\"raw-data\"],\"collection_uuid\":\"0d821b68-9d82-4c6d-86a6-1071a9e0f79f\",\"description\":\"Family of related sophisticated backdoor software - Name comes from Microsoft detection signature – anagram of Ultra (Ultra3) was a name of the fake driver). A macOS version exists but appears incomplete and lacking features...for now!\",\"galaxy_id\":\"36\",\"id\":\"5828\",\"local\":false,\"meta\":{\"refs\":[\"https://www.first.org/resources/papers/tbilisi2014/turla-operations_and_development.pdf\",\"https://objective-see.com/blog/blog_0x25.html#Snake\"],\"synonyms\":[\"Snake\",\"Uroburos\",\"Urouros\"],\"type\":[\"Backdoor\",\"Rootkit\"]},\"source\":\"MISP Project\",\"tag_id\":\"22\",\"tag_name\":\"misp-galaxy:tool=\\\"Turla\\\"\",\"type\":\"tool\",\"uuid\":\"22332d52-c0c2-443c-9ffb-f08c0d23722c\",\"value\":\"Turla\",\"version\":\"138\"}],\"description\":\"Threat actors tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.\",\"icon\":\"optin-monster\",\"id\":\"36\",\"name\":\"Tool\",\"namespace\":\"misp\",\"type\":\"tool\",\"uuid\":\"9b8037f7-bc8f-4de1-a797-37266619bc0b\",\"version\":\"3\"}],\"Object\":[],\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"982f7c55-684d-4eb9-8736-fb5f668b899d\"},\"Orgc\":{\"id\":\"2\",\"local\":false,\"name\":\"CIRCL\",\"uuid\":\"55f6ea5e-2c60-40e5-964f-47a8950d210f\"},\"RelatedEvent\":[{\"Event\":{\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"982f7c55-684d-4eb9-8736-fb5f668b899d\"},\"Orgc\":{\"id\":\"4\",\"name\":\"CthulhuSPRL.be\",\"uuid\":\"55f6ea5f-fd34-43b8-ac1d-40cb950d210f\"},\"analysis\":\"2\",\"date\":\"2015-01-20\",\"distribution\":\"3\",\"id\":\"369\",\"info\":\"OSINT Analysis of Project Cobra Another extensible framework used by the Uroburos’ actors from Gdata\",\"org_id\":\"1\",\"orgc_id\":\"4\",\"published\":true,\"threat_level_id\":\"1\",\"timestamp\":\"1498163317\",\"uuid\":\"54bf5a6f-ac50-4f71-9cd3-7080950d210b\"}},{\"Event\":{\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"982f7c55-684d-4eb9-8736-fb5f668b899d\"},\"Orgc\":{\"id\":\"4\",\"name\":\"CthulhuSPRL.be\",\"uuid\":\"55f6ea5f-fd34-43b8-ac1d-40cb950d210f\"},\"analysis\":\"2\",\"date\":\"2014-11-20\",\"distribution\":\"3\",\"id\":\"621\",\"info\":\"Turla digging using TotalHash\",\"org_id\":\"1\",\"orgc_id\":\"4\",\"published\":true,\"threat_level_id\":\"2\",\"timestamp\":\"1498163604\",\"uuid\":\"546daad5-425c-4ac4-82c7-e07f950d210b\"}}],\"ShadowAttribute\":[],\"Tag\":[{\"colour\":\"#065100\",\"exportable\":true,\"hide_tag\":false,\"id\":\"22\",\"local\":0,\"name\":\"misp-galaxy:tool=\\\"Turla\\\"\",\"numerical_value\":null,\"user_id\":\"0\"},{\"colour\":\"#ffffff\",\"exportable\":true,\"hide_tag\":false,\"id\":\"2\",\"local\":0,\"name\":\"tlp:white\",\"numerical_value\":null,\"user_id\":\"0\"}],\"analysis\":\"2\",\"attribute_count\":\"100\",\"date\":\"2017-03-30\",\"disable_correlation\":false,\"distribution\":\"3\",\"extends_uuid\":\"\",\"id\":\"4\",\"info\":\"OSINT - Carbon Paper: Peering into Turla’s second stage backdoor\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"2\",\"proposal_email_lock\":false,\"publish_timestamp\":\"1603226330\",\"published\":true,\"sharing_group_id\":\"0\",\"threat_level_id\":\"3\",\"timestamp\":\"1493403824\",\"uuid\":\"58dcfe62-ed84-4e5e-b293-4991950d210f\"}}", - "type": [ - "indicator" - ] - }, - "misp": { - "attribute": { - "category": "External analysis", - "comment": "Carbon sample - Xchecked via VT: a08b8371ead1919500a4759c2f46553620d5a9d9", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "4", - "id": "342", - "object_id": "0", - "sharing_group_id": "0", - "timestamp": "2017-03-30T12:55:50.000Z", - "to_ids": false, - "type": "link", - "uuid": "58dd0056-6e74-43d5-b58b-494802de0b81" - }, - "event": { - "attribute_count": 100, - "date": "2017-03-30", - "disable_correlation": false, - "distribution": 3, - "extends_uuid": "", - "id": "4", - "info": "OSINT - Carbon Paper: Peering into Turla’s second stage backdoor", - "locked": false, - "org_id": "1", - "orgc_id": "2", - "proposal_email_lock": false, - "publish_timestamp": "2020-10-20T20:38:50.000Z", - "published": true, - "sharing_group_id": "0", - "threat_level_id": 3, - "uuid": "58dcfe62-ed84-4e5e-b293-4991950d210f" - }, - "orgc": { - "id": "2", - "local": false, - "name": "CIRCL", - "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" - } - }, - "tags": [ - "preserve_original_event", - "misp-galaxy:tool=Turla", - "tlp:white" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "marking": { - "tlp": [ - "WHITE" - ] - }, - "provider": "misp", - "scanner_stats": 2, - "type": "url", - "url": { - "domain": "www.virustotal.com", - "full": "https://www.virustotal.com/file/7fa4482bfbca550ce296d8e791b1091d60d733ea8042167fd0eb853530584452/analysis/1486030116/", - "original": "https://www.virustotal.com/file/7fa4482bfbca550ce296d8e791b1091d60d733ea8042167fd0eb853530584452/analysis/1486030116/", - "path": "/file/7fa4482bfbca550ce296d8e791b1091d60d733ea8042167fd0eb853530584452/analysis/1486030116/", - "scheme": "https" - } - } - } - }, - { - "@timestamp": "2014-10-06T07:12:57.000Z", - "ecs": { - "version": "8.9.0" - }, - "event": { - "category": [ - "threat" - ], - "kind": "enrichment", - "original": "{\"Event\":{\"id\":\"2\",\"orgc_id\":\"2\",\"org_id\":\"1\",\"date\":\"2014-10-03\",\"threat_level_id\":\"2\",\"info\":\"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks\",\"published\":true,\"uuid\":\"54323f2c-e50c-4268-896c-4867950d210b\",\"attribute_count\":\"29\",\"analysis\":\"2\",\"timestamp\":\"1412579577\",\"distribution\":\"3\",\"proposal_email_lock\":false,\"locked\":false,\"publish_timestamp\":\"1610622316\",\"sharing_group_id\":\"0\",\"disable_correlation\":false,\"extends_uuid\":\"\",\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\",\"local\":true},\"Orgc\":{\"id\":\"2\",\"name\":\"CthulhuSPRL.be\",\"uuid\":\"55f6ea5f-fd34-43b8-ac1d-40cb950d210f\",\"local\":false},\"Attribute\":{\"id\":\"1077\",\"type\":\"sha256\",\"category\":\"External analysis\",\"to_ids\":true,\"uuid\":\"54324042-49fc-4628-a95e-44da950d210b\",\"event_id\":\"2\",\"distribution\":\"5\",\"timestamp\":\"1412579394\",\"comment\":\"\",\"sharing_group_id\":\"0\",\"deleted\":false,\"disable_correlation\":false,\"object_id\":\"0\",\"object_relation\":null,\"first_seen\":null,\"last_seen\":null,\"value\":\"0a1103bc90725d4665b932f88e81d39eafa5823b0de3ab146e2d4548b7da79a0\",\"Galaxy\":[],\"ShadowAttribute\":[]},\"ShadowAttribute\":[],\"RelatedEvent\":[],\"Galaxy\":[],\"Object\":[],\"EventReport\":[],\"Tag\":[{\"id\":\"1\",\"name\":\"type:OSINT\",\"colour\":\"#004646\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0},{\"id\":\"2\",\"name\":\"tlp:green\",\"colour\":\"#339900\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0}]}}", - "type": [ - "indicator" - ] - }, - "misp": { - "attribute": { - "category": "External analysis", - "comment": "", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "2", - "id": "1077", - "object_id": "0", - "sharing_group_id": "0", - "timestamp": "2014-10-06T07:09:54.000Z", - "to_ids": true, - "type": "sha256", - "uuid": "54324042-49fc-4628-a95e-44da950d210b" - }, - "event": { - "attribute_count": 29, - "date": "2014-10-03", - "disable_correlation": false, - "distribution": 3, - "extends_uuid": "", - "id": "2", - "info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", - "locked": false, - "org_id": "1", - "orgc_id": "2", - "proposal_email_lock": false, - "publish_timestamp": "2021-01-14T11:05:16.000Z", - "published": true, - "sharing_group_id": "0", - "threat_level_id": 2, - "uuid": "54323f2c-e50c-4268-896c-4867950d210b" - }, - "orgc": { - "id": "2", - "local": false, - "name": "CthulhuSPRL.be", - "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" - } - }, - "tags": [ - "preserve_original_event", - "type:OSINT", - "tlp:green" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "file": { - "hash": { - "sha256": "0a1103bc90725d4665b932f88e81d39eafa5823b0de3ab146e2d4548b7da79a0" - } - }, - "marking": { - "tlp": [ - "GREEN" - ] - }, - "provider": "misp", - "scanner_stats": 2, - "type": "file" - } - } - }, - { - "@timestamp": "2014-10-06T07:12:57.000Z", - "ecs": { - "version": "8.9.0" - }, - "event": { - "category": [ - "threat" - ], - "kind": "enrichment", - "original": "{\"Event\":{\"id\":\"2\",\"orgc_id\":\"2\",\"org_id\":\"1\",\"date\":\"2014-10-03\",\"threat_level_id\":\"2\",\"info\":\"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks\",\"published\":true,\"uuid\":\"54323f2c-e50c-4268-896c-4867950d210b\",\"attribute_count\":\"29\",\"analysis\":\"2\",\"timestamp\":\"1412579577\",\"distribution\":\"3\",\"proposal_email_lock\":false,\"locked\":false,\"publish_timestamp\":\"1610622316\",\"sharing_group_id\":\"0\",\"disable_correlation\":false,\"extends_uuid\":\"\",\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\",\"local\":true},\"Orgc\":{\"id\":\"2\",\"name\":\"CthulhuSPRL.be\",\"uuid\":\"55f6ea5f-fd34-43b8-ac1d-40cb950d210f\",\"local\":false},\"Attribute\":{\"id\":\"1084\",\"type\":\"ip-dst\",\"category\":\"Network activity\",\"to_ids\":true,\"uuid\":\"54324081-3308-4f1f-8674-4953950d210b\",\"event_id\":\"2\",\"distribution\":\"5\",\"timestamp\":\"1412579457\",\"comment\":\"\",\"sharing_group_id\":\"0\",\"deleted\":false,\"disable_correlation\":false,\"object_id\":\"0\",\"object_relation\":null,\"first_seen\":null,\"last_seen\":null,\"value\":\"89.160.20.156\",\"Galaxy\":[],\"ShadowAttribute\":[]},\"ShadowAttribute\":[],\"RelatedEvent\":[],\"Galaxy\":[],\"Object\":[],\"EventReport\":[],\"Tag\":[{\"id\":\"1\",\"name\":\"type:OSINT\",\"colour\":\"#004646\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0},{\"id\":\"2\",\"name\":\"tlp:green\",\"colour\":\"#339900\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0}]}}", - "type": [ - "indicator" - ] - }, - "misp": { - "attribute": { - "category": "Network activity", - "comment": "", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "2", - "id": "1084", - "object_id": "0", - "sharing_group_id": "0", - "timestamp": "2014-10-06T07:10:57.000Z", - "to_ids": true, - "type": "ip-dst", - "uuid": "54324081-3308-4f1f-8674-4953950d210b" - }, - "event": { - "attribute_count": 29, - "date": "2014-10-03", - "disable_correlation": false, - "distribution": 3, - "extends_uuid": "", - "id": "2", - "info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", - "locked": false, - "org_id": "1", - "orgc_id": "2", - "proposal_email_lock": false, - "publish_timestamp": "2021-01-14T11:05:16.000Z", - "published": true, - "sharing_group_id": "0", - "threat_level_id": 2, - "uuid": "54323f2c-e50c-4268-896c-4867950d210b" - }, - "orgc": { - "id": "2", - "local": false, - "name": "CthulhuSPRL.be", - "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" - } - }, - "tags": [ - "preserve_original_event", - "type:OSINT", - "tlp:green" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "ip": "89.160.20.156", - "marking": { - "tlp": [ - "GREEN" - ] - }, - "provider": "misp", - "scanner_stats": 2, - "type": "ipv4-addr" - } - } - }, - { - "@timestamp": "2014-10-06T07:12:57.000Z", - "ecs": { - "version": "8.9.0" - }, - "event": { - "category": [ - "threat" - ], - "kind": "enrichment", - "original": "{\"Event\":{\"id\":\"2\",\"orgc_id\":\"2\",\"org_id\":\"1\",\"date\":\"2014-10-03\",\"threat_level_id\":\"2\",\"info\":\"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks\",\"published\":true,\"uuid\":\"54323f2c-e50c-4268-896c-4867950d210b\",\"attribute_count\":\"29\",\"analysis\":\"2\",\"timestamp\":\"1412579577\",\"distribution\":\"3\",\"proposal_email_lock\":false,\"locked\":false,\"publish_timestamp\":\"1610622316\",\"sharing_group_id\":\"0\",\"disable_correlation\":false,\"extends_uuid\":\"\",\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\",\"local\":true},\"Orgc\":{\"id\":\"2\",\"name\":\"CthulhuSPRL.be\",\"uuid\":\"55f6ea5f-fd34-43b8-ac1d-40cb950d210f\",\"local\":false},\"Attribute\":{\"id\":\"1086\",\"type\":\"hostname\",\"category\":\"Network activity\",\"to_ids\":true,\"uuid\":\"543240dc-f068-437a-baa9-48f2950d210b\",\"event_id\":\"2\",\"distribution\":\"5\",\"timestamp\":\"1412579548\",\"comment\":\"\",\"sharing_group_id\":\"0\",\"deleted\":false,\"disable_correlation\":false,\"object_id\":\"0\",\"object_relation\":null,\"first_seen\":null,\"last_seen\":null,\"value\":\"xenserver.ddns.net\",\"Galaxy\":[],\"ShadowAttribute\":[]},\"ShadowAttribute\":[],\"RelatedEvent\":[],\"Galaxy\":[],\"Object\":[],\"EventReport\":[],\"Tag\":[{\"id\":\"1\",\"name\":\"type:OSINT\",\"colour\":\"#004646\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0},{\"id\":\"2\",\"name\":\"tlp:green\",\"colour\":\"#339900\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0}]}}", - "type": [ - "indicator" - ] - }, - "misp": { - "attribute": { - "category": "Network activity", - "comment": "", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "2", - "id": "1086", - "object_id": "0", - "sharing_group_id": "0", - "timestamp": "2014-10-06T07:12:28.000Z", - "to_ids": true, - "type": "hostname", - "uuid": "543240dc-f068-437a-baa9-48f2950d210b" - }, - "event": { - "attribute_count": 29, - "date": "2014-10-03", - "disable_correlation": false, - "distribution": 3, - "extends_uuid": "", - "id": "2", - "info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", - "locked": false, - "org_id": "1", - "orgc_id": "2", - "proposal_email_lock": false, - "publish_timestamp": "2021-01-14T11:05:16.000Z", - "published": true, - "sharing_group_id": "0", - "threat_level_id": 2, - "uuid": "54323f2c-e50c-4268-896c-4867950d210b" - }, - "orgc": { - "id": "2", - "local": false, - "name": "CthulhuSPRL.be", - "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" - } - }, - "tags": [ - "preserve_original_event", - "type:OSINT", - "tlp:green" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "marking": { - "tlp": [ - "GREEN" - ] - }, - "provider": "misp", - "scanner_stats": 2, - "type": "domain-name", - "url": { - "domain": "xenserver.ddns.net" - } - } - } - }, - { - "@timestamp": "2014-10-06T07:12:57.000Z", - "ecs": { - "version": "8.9.0" - }, - "event": { - "category": [ - "threat" - ], - "kind": "enrichment", - "original": "{\"Event\":{\"id\":\"2\",\"orgc_id\":\"2\",\"org_id\":\"1\",\"date\":\"2014-10-03\",\"threat_level_id\":\"2\",\"info\":\"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks\",\"published\":true,\"uuid\":\"54323f2c-e50c-4268-896c-4867950d210b\",\"attribute_count\":\"29\",\"analysis\":\"2\",\"timestamp\":\"1412579577\",\"distribution\":\"3\",\"proposal_email_lock\":false,\"locked\":false,\"publish_timestamp\":\"1610622316\",\"sharing_group_id\":\"0\",\"disable_correlation\":false,\"extends_uuid\":\"\",\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\",\"local\":true},\"Orgc\":{\"id\":\"2\",\"name\":\"CthulhuSPRL.be\",\"uuid\":\"55f6ea5f-fd34-43b8-ac1d-40cb950d210f\",\"local\":false},\"Attribute\":{\"id\":\"1089\",\"type\":\"text\",\"category\":\"External analysis\",\"to_ids\":false,\"uuid\":\"543240f9-64e8-41f2-958f-4e21950d210b\",\"event_id\":\"2\",\"distribution\":\"5\",\"timestamp\":\"1412579577\",\"comment\":\"\",\"sharing_group_id\":\"0\",\"deleted\":false,\"disable_correlation\":false,\"object_id\":\"0\",\"object_relation\":null,\"first_seen\":null,\"last_seen\":null,\"value\":\"Nitro\",\"Galaxy\":[],\"ShadowAttribute\":[]},\"ShadowAttribute\":[],\"RelatedEvent\":[],\"Galaxy\":[],\"Object\":[],\"EventReport\":[],\"Tag\":[{\"id\":\"1\",\"name\":\"type:OSINT\",\"colour\":\"#004646\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0},{\"id\":\"2\",\"name\":\"tlp:green\",\"colour\":\"#339900\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0}]}}", - "type": [ - "indicator" - ] - }, - "misp": { - "attribute": { - "category": "External analysis", - "comment": "", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "2", - "id": "1089", - "object_id": "0", - "sharing_group_id": "0", - "timestamp": "2014-10-06T07:12:57.000Z", - "to_ids": false, - "type": "text", - "uuid": "543240f9-64e8-41f2-958f-4e21950d210b", - "value": "Nitro" - }, - "event": { - "attribute_count": 29, - "date": "2014-10-03", - "disable_correlation": false, - "distribution": 3, - "extends_uuid": "", - "id": "2", - "info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", - "locked": false, - "org_id": "1", - "orgc_id": "2", - "proposal_email_lock": false, - "publish_timestamp": "2021-01-14T11:05:16.000Z", - "published": true, - "sharing_group_id": "0", - "threat_level_id": 2, - "uuid": "54323f2c-e50c-4268-896c-4867950d210b" - }, - "orgc": { - "id": "2", - "local": false, - "name": "CthulhuSPRL.be", - "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" - } - }, - "tags": [ - "preserve_original_event", - "type:OSINT", - "tlp:green" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "marking": { - "tlp": [ - "GREEN" - ] - }, - "provider": "misp", - "scanner_stats": 2 - } - } - }, - { - "@timestamp": "2014-10-06T07:12:57.000Z", - "ecs": { - "version": "8.9.0" - }, - "event": { - "category": [ - "threat" - ], - "kind": "enrichment", - "original": "{\"Event\":{\"id\":\"2\",\"orgc_id\":\"2\",\"org_id\":\"1\",\"date\":\"2014-10-03\",\"threat_level_id\":\"2\",\"info\":\"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks\",\"published\":true,\"uuid\":\"54323f2c-e50c-4268-896c-4867950d210b\",\"attribute_count\":\"29\",\"analysis\":\"2\",\"timestamp\":\"1412579577\",\"distribution\":\"3\",\"proposal_email_lock\":false,\"locked\":false,\"publish_timestamp\":\"1610622316\",\"sharing_group_id\":\"0\",\"disable_correlation\":false,\"extends_uuid\":\"\",\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\",\"local\":true},\"Orgc\":{\"id\":\"2\",\"name\":\"CthulhuSPRL.be\",\"uuid\":\"55f6ea5f-fd34-43b8-ac1d-40cb950d210f\",\"local\":false},\"Attribute\":{\"id\":\"1090\",\"type\":\"sha1\",\"category\":\"External analysis\",\"to_ids\":true,\"uuid\":\"56c625a7-f31c-460c-9ea1-c652950d210f\",\"event_id\":\"2\",\"distribution\":\"5\",\"timestamp\":\"1455826343\",\"comment\":\"Automatically added (via 7915aabb2e66ff14841e4ef0fbff7486)\",\"sharing_group_id\":\"0\",\"deleted\":false,\"disable_correlation\":false,\"object_id\":\"0\",\"object_relation\":null,\"first_seen\":null,\"last_seen\":null,\"value\":\"0ea76f1586c008932d90c991dfdd5042f3aac8ea\",\"Galaxy\":[],\"ShadowAttribute\":[]},\"ShadowAttribute\":[],\"RelatedEvent\":[],\"Galaxy\":[],\"Object\":[],\"EventReport\":[],\"Tag\":[{\"id\":\"1\",\"name\":\"type:OSINT\",\"colour\":\"#004646\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0},{\"id\":\"2\",\"name\":\"tlp:green\",\"colour\":\"#339900\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0}]}}", - "type": [ - "indicator" - ] - }, - "misp": { - "attribute": { - "category": "External analysis", - "comment": "Automatically added (via 7915aabb2e66ff14841e4ef0fbff7486)", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "2", - "id": "1090", - "object_id": "0", - "sharing_group_id": "0", - "timestamp": "2016-02-18T20:12:23.000Z", - "to_ids": true, - "type": "sha1", - "uuid": "56c625a7-f31c-460c-9ea1-c652950d210f" - }, - "event": { - "attribute_count": 29, - "date": "2014-10-03", - "disable_correlation": false, - "distribution": 3, - "extends_uuid": "", - "id": "2", - "info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", - "locked": false, - "org_id": "1", - "orgc_id": "2", - "proposal_email_lock": false, - "publish_timestamp": "2021-01-14T11:05:16.000Z", - "published": true, - "sharing_group_id": "0", - "threat_level_id": 2, - "uuid": "54323f2c-e50c-4268-896c-4867950d210b" - }, - "orgc": { - "id": "2", - "local": false, - "name": "CthulhuSPRL.be", - "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" - } - }, - "tags": [ - "preserve_original_event", - "type:OSINT", - "tlp:green" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "file": { - "hash": { - "sha1": "0ea76f1586c008932d90c991dfdd5042f3aac8ea" - } - }, - "marking": { - "tlp": [ - "GREEN" - ] - }, - "provider": "misp", - "scanner_stats": 2, - "type": "file" - } - } - }, - { - "@timestamp": "2014-10-06T07:12:57.000Z", - "ecs": { - "version": "8.9.0" - }, - "event": { - "category": [ - "threat" - ], - "kind": "enrichment", - "original": "{\"Event\":{\"id\":\"2\",\"orgc_id\":\"2\",\"org_id\":\"1\",\"date\":\"2014-10-03\",\"threat_level_id\":\"2\",\"info\":\"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks\",\"published\":true,\"uuid\":\"54323f2c-e50c-4268-896c-4867950d210b\",\"attribute_count\":\"29\",\"analysis\":\"2\",\"timestamp\":\"1412579577\",\"distribution\":\"3\",\"proposal_email_lock\":false,\"locked\":false,\"publish_timestamp\":\"1610622316\",\"sharing_group_id\":\"0\",\"disable_correlation\":false,\"extends_uuid\":\"\",\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\",\"local\":true},\"Orgc\":{\"id\":\"2\",\"name\":\"CthulhuSPRL.be\",\"uuid\":\"55f6ea5f-fd34-43b8-ac1d-40cb950d210f\",\"local\":false},\"Attribute\":{\"id\":\"12394\",\"type\":\"domain\",\"category\":\"Network activity\",\"to_ids\":false,\"uuid\":\"572b4ab3-1af0-4d91-9cd5-07a1c0a8ab16\",\"event_id\":\"22\",\"distribution\":\"5\",\"timestamp\":\"1462454963\",\"comment\":\"\",\"sharing_group_id\":\"0\",\"deleted\":false,\"disable_correlation\":false,\"object_id\":\"0\",\"object_relation\":null,\"first_seen\":null,\"last_seen\":null,\"value\":\"whatsapp.com\",\"Galaxy\":[],\"ShadowAttribute\":[]},\"ShadowAttribute\":[],\"RelatedEvent\":[],\"Galaxy\":[],\"Object\":[],\"EventReport\":[],\"Tag\":[{\"id\":\"1\",\"name\":\"type:OSINT\",\"colour\":\"#004646\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0},{\"id\":\"2\",\"name\":\"tlp:green\",\"colour\":\"#339900\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0}]}}", - "type": [ - "indicator" - ] - }, - "misp": { - "attribute": { - "category": "Network activity", - "comment": "", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "22", - "id": "12394", - "object_id": "0", - "sharing_group_id": "0", - "timestamp": "2016-05-05T13:29:23.000Z", - "to_ids": false, - "type": "domain", - "uuid": "572b4ab3-1af0-4d91-9cd5-07a1c0a8ab16" - }, - "event": { - "attribute_count": 29, - "date": "2014-10-03", - "disable_correlation": false, - "distribution": 3, - "extends_uuid": "", - "id": "2", - "info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", - "locked": false, - "org_id": "1", - "orgc_id": "2", - "proposal_email_lock": false, - "publish_timestamp": "2021-01-14T11:05:16.000Z", - "published": true, - "sharing_group_id": "0", - "threat_level_id": 2, - "uuid": "54323f2c-e50c-4268-896c-4867950d210b" - }, - "orgc": { - "id": "2", - "local": false, - "name": "CthulhuSPRL.be", - "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" - } - }, - "tags": [ - "preserve_original_event", - "type:OSINT", - "tlp:green" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "marking": { - "tlp": [ - "GREEN" - ] - }, - "provider": "misp", - "scanner_stats": 2, - "type": "domain-name", - "url": { - "domain": "whatsapp.com" - } - } - } - }, - { - "@timestamp": "2018-08-28T13:20:17.000Z", - "ecs": { - "version": "8.9.0" - }, - "event": { - "category": [ - "threat" - ], - "kind": "enrichment", - "original": "{\"Event\":{\"id\":\"158\",\"orgc_id\":\"5\",\"org_id\":\"1\",\"date\":\"2018-01-08\",\"threat_level_id\":\"1\",\"info\":\"Turla: Mosquito Whitepaper\",\"published\":true,\"uuid\":\"5a5395d1-40a0-45fc-b692-334a0a016219\",\"attribute_count\":\"61\",\"analysis\":\"0\",\"timestamp\":\"1535462417\",\"distribution\":\"3\",\"proposal_email_lock\":false,\"locked\":false,\"publish_timestamp\":\"1610637953\",\"sharing_group_id\":\"0\",\"disable_correlation\":false,\"extends_uuid\":\"\",\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\",\"local\":true},\"Orgc\":{\"id\":\"5\",\"name\":\"ESET\",\"uuid\":\"55f6ea5e-51ac-4344-bc8c-4170950d210f\",\"local\":false},\"Attribute\":{\"id\":\"17299\",\"type\":\"url\",\"category\":\"Network activity\",\"to_ids\":false,\"uuid\":\"5a53976c-e7c8-480d-a68a-2fc50a016219\",\"event_id\":\"158\",\"distribution\":\"5\",\"timestamp\":\"1515427692\",\"comment\":\"Fake adobe URL\",\"sharing_group_id\":\"0\",\"deleted\":false,\"disable_correlation\":false,\"object_id\":\"0\",\"object_relation\":null,\"first_seen\":null,\"last_seen\":null,\"value\":\"http://get.adobe.com/stats/AbfFcBebD/?q=\",\"Galaxy\":[],\"ShadowAttribute\":[]},\"ShadowAttribute\":[],\"RelatedEvent\":[{\"Event\":{\"id\":\"58\",\"date\":\"2018-08-17\",\"threat_level_id\":\"1\",\"info\":\"Turla Outlook White Paper\",\"published\":true,\"uuid\":\"5b773e07-e694-458b-b99c-27f30a016219\",\"analysis\":\"0\",\"timestamp\":\"1535462383\",\"distribution\":\"3\",\"org_id\":\"1\",\"orgc_id\":\"5\",\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\"},\"Orgc\":{\"id\":\"5\",\"name\":\"ESET\",\"uuid\":\"55f6ea5e-51ac-4344-bc8c-4170950d210f\"}}}],\"Galaxy\":[],\"Object\":[],\"EventReport\":[],\"Tag\":[{\"id\":\"7\",\"name\":\"misp-galaxy:threat-actor=\\\"Turla Group\\\"\",\"colour\":\"#0088cc\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":true,\"is_custom_galaxy\":false,\"local\":0},{\"id\":\"70\",\"name\":\"Turla\",\"colour\":\"#f20f53\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0},{\"id\":\"3\",\"name\":\"tlp:white\",\"colour\":\"#ffffff\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0}]}}", - "type": [ - "indicator" - ] - }, - "misp": { - "attribute": { - "category": "Network activity", - "comment": "Fake adobe URL", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "158", - "id": "17299", - "object_id": "0", - "sharing_group_id": "0", - "timestamp": "2018-01-08T16:08:12.000Z", - "to_ids": false, - "type": "url", - "uuid": "5a53976c-e7c8-480d-a68a-2fc50a016219" - }, - "event": { - "attribute_count": 61, - "date": "2018-01-08", - "disable_correlation": false, - "distribution": 3, - "extends_uuid": "", - "id": "158", - "info": "Turla: Mosquito Whitepaper", - "locked": false, - "org_id": "1", - "orgc_id": "5", - "proposal_email_lock": false, - "publish_timestamp": "2021-01-14T15:25:53.000Z", - "published": true, - "sharing_group_id": "0", - "threat_level_id": 1, - "uuid": "5a5395d1-40a0-45fc-b692-334a0a016219" - }, - "orgc": { - "id": "5", - "local": false, - "name": "ESET", - "uuid": "55f6ea5e-51ac-4344-bc8c-4170950d210f" - } - }, - "tags": [ - "preserve_original_event", - "misp-galaxy:threat-actor=Turla Group", - "Turla", - "tlp:white" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "marking": { - "tlp": [ - "WHITE" - ] - }, - "provider": "misp", - "scanner_stats": 0, - "type": "url", - "url": { - "domain": "get.adobe.com", - "full": "http://get.adobe.com/stats/AbfFcBebD/?q=", - "original": "http://get.adobe.com/stats/AbfFcBebD/?q=", - "path": "/stats/AbfFcBebD/", - "query": "q=", - "scheme": "http" - } - } - } - }, - { - "@timestamp": "2018-08-28T13:20:17.000Z", - "ecs": { - "version": "8.9.0" - }, - "event": { - "category": [ - "threat" - ], - "kind": "enrichment", - "original": "{\"Event\":{\"id\":\"158\",\"orgc_id\":\"5\",\"org_id\":\"1\",\"date\":\"2018-01-08\",\"threat_level_id\":\"1\",\"info\":\"Turla: Mosquito Whitepaper\",\"published\":true,\"uuid\":\"5a5395d1-40a0-45fc-b692-334a0a016219\",\"attribute_count\":\"61\",\"analysis\":\"0\",\"timestamp\":\"1535462417\",\"distribution\":\"3\",\"proposal_email_lock\":false,\"locked\":false,\"publish_timestamp\":\"1610637953\",\"sharing_group_id\":\"0\",\"disable_correlation\":false,\"extends_uuid\":\"\",\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\",\"local\":true},\"Orgc\":{\"id\":\"5\",\"name\":\"ESET\",\"uuid\":\"55f6ea5e-51ac-4344-bc8c-4170950d210f\",\"local\":false},\"Attribute\":{\"id\":\"17330\",\"type\":\"uri\",\"category\":\"Network activity\",\"to_ids\":false,\"uuid\":\"5a539ce1-3de0-4e34-8fc4-2fc50a016219\",\"event_id\":\"158\",\"distribution\":\"5\",\"timestamp\":\"1515429089\",\"comment\":\"Win32 backdoor C\u0026C URI\",\"sharing_group_id\":\"0\",\"deleted\":false,\"disable_correlation\":false,\"object_id\":\"0\",\"object_relation\":null,\"first_seen\":null,\"last_seen\":null,\"value\":\"/scripts/m/query.php?id=\",\"Galaxy\":[],\"ShadowAttribute\":[]},\"ShadowAttribute\":[],\"RelatedEvent\":[{\"Event\":{\"id\":\"58\",\"date\":\"2018-08-17\",\"threat_level_id\":\"1\",\"info\":\"Turla Outlook White Paper\",\"published\":true,\"uuid\":\"5b773e07-e694-458b-b99c-27f30a016219\",\"analysis\":\"0\",\"timestamp\":\"1535462383\",\"distribution\":\"3\",\"org_id\":\"1\",\"orgc_id\":\"5\",\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\"},\"Orgc\":{\"id\":\"5\",\"name\":\"ESET\",\"uuid\":\"55f6ea5e-51ac-4344-bc8c-4170950d210f\"}}}],\"Galaxy\":[],\"Object\":[],\"EventReport\":[],\"Tag\":[{\"id\":\"7\",\"name\":\"misp-galaxy:threat-actor=\\\"Turla Group\\\"\",\"colour\":\"#0088cc\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":true,\"is_custom_galaxy\":false,\"local\":0},{\"id\":\"70\",\"name\":\"Turla\",\"colour\":\"#f20f53\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0},{\"id\":\"3\",\"name\":\"tlp:white\",\"colour\":\"#ffffff\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0}]}}", - "type": [ - "indicator" - ] - }, - "misp": { - "attribute": { - "category": "Network activity", - "comment": "Win32 backdoor C\u0026C URI", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "158", - "id": "17330", - "object_id": "0", - "sharing_group_id": "0", - "timestamp": "2018-01-08T16:31:29.000Z", - "to_ids": false, - "type": "uri", - "uuid": "5a539ce1-3de0-4e34-8fc4-2fc50a016219" - }, - "event": { - "attribute_count": 61, - "date": "2018-01-08", - "disable_correlation": false, - "distribution": 3, - "extends_uuid": "", - "id": "158", - "info": "Turla: Mosquito Whitepaper", - "locked": false, - "org_id": "1", - "orgc_id": "5", - "proposal_email_lock": false, - "publish_timestamp": "2021-01-14T15:25:53.000Z", - "published": true, - "sharing_group_id": "0", - "threat_level_id": 1, - "uuid": "5a5395d1-40a0-45fc-b692-334a0a016219" - }, - "orgc": { - "id": "5", - "local": false, - "name": "ESET", - "uuid": "55f6ea5e-51ac-4344-bc8c-4170950d210f" - } - }, - "tags": [ - "preserve_original_event", - "misp-galaxy:threat-actor=Turla Group", - "Turla", - "tlp:white" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "marking": { - "tlp": [ - "WHITE" - ] - }, - "provider": "misp", - "scanner_stats": 0, - "type": "url" - } - } - }, - { - "@timestamp": "2018-08-28T13:20:17.000Z", - "ecs": { - "version": "8.9.0" - }, - "event": { - "category": [ - "threat" - ], - "kind": "enrichment", - "original": "{\"Event\":{\"id\":\"158\",\"orgc_id\":\"5\",\"org_id\":\"1\",\"date\":\"2018-01-08\",\"threat_level_id\":\"1\",\"info\":\"Turla: Mosquito Whitepaper\",\"published\":true,\"uuid\":\"5a5395d1-40a0-45fc-b692-334a0a016219\",\"attribute_count\":\"61\",\"analysis\":\"0\",\"timestamp\":\"1535462417\",\"distribution\":\"3\",\"proposal_email_lock\":false,\"locked\":false,\"publish_timestamp\":\"1610637953\",\"sharing_group_id\":\"0\",\"disable_correlation\":false,\"extends_uuid\":\"\",\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\",\"local\":true},\"Orgc\":{\"id\":\"5\",\"name\":\"ESET\",\"uuid\":\"55f6ea5e-51ac-4344-bc8c-4170950d210f\",\"local\":false},\"Attribute\":{\"id\":\"17322\",\"type\":\"filename|sha1\",\"category\":\"Artifacts dropped\",\"to_ids\":false,\"uuid\":\"5a539ce1-e6a0-426a-942c-2fc50a016219\",\"event_id\":\"158\",\"distribution\":\"5\",\"timestamp\":\"1515429089\",\"comment\":\"JavaScript backdoor\",\"sharing_group_id\":\"0\",\"deleted\":false,\"disable_correlation\":false,\"object_id\":\"0\",\"object_relation\":null,\"first_seen\":null,\"last_seen\":null,\"value\":\"google_update_checker.js|c51d288469df9f25e2fb7ac491918b3e579282ea\",\"Galaxy\":[],\"ShadowAttribute\":[]},\"ShadowAttribute\":[],\"RelatedEvent\":[{\"Event\":{\"id\":\"58\",\"date\":\"2018-08-17\",\"threat_level_id\":\"1\",\"info\":\"Turla Outlook White Paper\",\"published\":true,\"uuid\":\"5b773e07-e694-458b-b99c-27f30a016219\",\"analysis\":\"0\",\"timestamp\":\"1535462383\",\"distribution\":\"3\",\"org_id\":\"1\",\"orgc_id\":\"5\",\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\"},\"Orgc\":{\"id\":\"5\",\"name\":\"ESET\",\"uuid\":\"55f6ea5e-51ac-4344-bc8c-4170950d210f\"}}}],\"Galaxy\":[],\"Object\":[],\"EventReport\":[],\"Tag\":[{\"id\":\"7\",\"name\":\"misp-galaxy:threat-actor=\\\"Turla Group\\\"\",\"colour\":\"#0088cc\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":true,\"is_custom_galaxy\":false,\"local\":0},{\"id\":\"70\",\"name\":\"Turla\",\"colour\":\"#f20f53\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0},{\"id\":\"3\",\"name\":\"tlp:white\",\"colour\":\"#ffffff\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0}]}}", - "type": [ - "indicator" - ] - }, - "misp": { - "attribute": { - "category": "Artifacts dropped", - "comment": "JavaScript backdoor", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "158", - "id": "17322", - "object_id": "0", - "sharing_group_id": "0", - "timestamp": "2018-01-08T16:31:29.000Z", - "to_ids": false, - "type": "filename|sha1", - "uuid": "5a539ce1-e6a0-426a-942c-2fc50a016219" - }, - "event": { - "attribute_count": 61, - "date": "2018-01-08", - "disable_correlation": false, - "distribution": 3, - "extends_uuid": "", - "id": "158", - "info": "Turla: Mosquito Whitepaper", - "locked": false, - "org_id": "1", - "orgc_id": "5", - "proposal_email_lock": false, - "publish_timestamp": "2021-01-14T15:25:53.000Z", - "published": true, - "sharing_group_id": "0", - "threat_level_id": 1, - "uuid": "5a5395d1-40a0-45fc-b692-334a0a016219" - }, - "orgc": { - "id": "5", - "local": false, - "name": "ESET", - "uuid": "55f6ea5e-51ac-4344-bc8c-4170950d210f" - } - }, - "tags": [ - "preserve_original_event", - "misp-galaxy:threat-actor=Turla Group", - "Turla", - "tlp:white" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "file": { - "hash": { - "sha1": "c51d288469df9f25e2fb7ac491918b3e579282ea" - }, - "name": "google_update_checker.js" - }, - "marking": { - "tlp": [ - "WHITE" - ] - }, - "provider": "misp", - "scanner_stats": 0, - "type": "file" - } - } - }, - { - "@timestamp": "2018-01-23T16:09:56.000Z", - "ecs": { - "version": "8.9.0" - }, - "event": { - "category": [ - "threat" - ], - "kind": "enrichment", - "original": "{\"Event\":{\"id\":\"22\",\"orgc_id\":\"4\",\"org_id\":\"1\",\"date\":\"2015-12-08\",\"threat_level_id\":\"3\",\"info\":\"Packrat: Seven Years of a South American Threat Actor\",\"published\":true,\"uuid\":\"56ccdcaf-f7e4-40d8-bca1-51299062e56a\",\"attribute_count\":\"133\",\"analysis\":\"2\",\"timestamp\":\"1516723796\",\"distribution\":\"3\",\"proposal_email_lock\":false,\"locked\":false,\"publish_timestamp\":\"1610637901\",\"sharing_group_id\":\"0\",\"disable_correlation\":false,\"extends_uuid\":\"\",\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\",\"local\":true},\"Orgc\":{\"id\":\"4\",\"name\":\"CUDESO\",\"uuid\":\"56c42374-fdb8-4544-a218-41ffc0a8ab16\",\"local\":false},\"Attribute\":{\"id\":\"12268\",\"type\":\"email-src\",\"category\":\"Payload delivery\",\"to_ids\":true,\"uuid\":\"56ccdcb6-4d6c-4e48-b955-52849062e56a\",\"event_id\":\"22\",\"distribution\":\"5\",\"timestamp\":\"1456266422\",\"comment\":\"\",\"sharing_group_id\":\"0\",\"deleted\":false,\"disable_correlation\":false,\"object_id\":\"0\",\"object_relation\":null,\"first_seen\":null,\"last_seen\":null,\"value\":\"claudiobonadio88@gmail.com\",\"Galaxy\":[],\"ShadowAttribute\":[]},\"ShadowAttribute\":[],\"RelatedEvent\":[],\"Galaxy\":[],\"Object\":[],\"EventReport\":[],\"Tag\":[{\"id\":\"3\",\"name\":\"tlp:white\",\"colour\":\"#ffffff\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0}]}}", - "type": [ - "indicator" - ] - }, - "misp": { - "attribute": { - "category": "Payload delivery", - "comment": "", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "22", - "id": "12268", - "object_id": "0", - "sharing_group_id": "0", - "timestamp": "2016-02-23T22:27:02.000Z", - "to_ids": true, - "type": "email-src", - "uuid": "56ccdcb6-4d6c-4e48-b955-52849062e56a" - }, - "event": { - "attribute_count": 133, - "date": "2015-12-08", - "disable_correlation": false, - "distribution": 3, - "extends_uuid": "", - "id": "22", - "info": "Packrat: Seven Years of a South American Threat Actor", - "locked": false, - "org_id": "1", - "orgc_id": "4", - "proposal_email_lock": false, - "publish_timestamp": "2021-01-14T15:25:01.000Z", - "published": true, - "sharing_group_id": "0", - "threat_level_id": 3, - "uuid": "56ccdcaf-f7e4-40d8-bca1-51299062e56a" - }, - "orgc": { - "id": "4", - "local": false, - "name": "CUDESO", - "uuid": "56c42374-fdb8-4544-a218-41ffc0a8ab16" - } - }, - "tags": [ - "preserve_original_event", - "tlp:white" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "email": { - "address": "claudiobonadio88@gmail.com" - }, - "marking": { - "tlp": [ - "WHITE" - ] - }, - "provider": "misp", - "scanner_stats": 2, - "type": "email-addr" - } - } - }, - { - "@timestamp": "2018-01-23T16:09:56.000Z", - "ecs": { - "version": "8.9.0" - }, - "event": { - "category": [ - "threat" - ], - "kind": "enrichment", - "original": "{\"Event\":{\"id\":\"22\",\"orgc_id\":\"4\",\"org_id\":\"1\",\"date\":\"2015-12-08\",\"threat_level_id\":\"3\",\"info\":\"Packrat: Seven Years of a South American Threat Actor\",\"published\":true,\"uuid\":\"56ccdcaf-f7e4-40d8-bca1-51299062e56a\",\"attribute_count\":\"133\",\"analysis\":\"2\",\"timestamp\":\"1516723796\",\"distribution\":\"3\",\"proposal_email_lock\":false,\"locked\":false,\"publish_timestamp\":\"1610637901\",\"sharing_group_id\":\"0\",\"disable_correlation\":false,\"extends_uuid\":\"\",\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\",\"local\":true},\"Orgc\":{\"id\":\"4\",\"name\":\"CUDESO\",\"uuid\":\"56c42374-fdb8-4544-a218-41ffc0a8ab16\",\"local\":false},\"Attribute\":{\"id\":\"12298\",\"type\":\"regkey\",\"category\":\"Artifacts dropped\",\"to_ids\":true,\"uuid\":\"56ccdcd6-f4b8-4383-9624-52849062e56a\",\"event_id\":\"22\",\"distribution\":\"5\",\"timestamp\":\"1456266454\",\"comment\":\"\",\"sharing_group_id\":\"0\",\"deleted\":false,\"disable_correlation\":false,\"object_id\":\"0\",\"object_relation\":null,\"first_seen\":null,\"last_seen\":null,\"value\":\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active\",\"Galaxy\":[],\"ShadowAttribute\":[]},\"ShadowAttribute\":[],\"RelatedEvent\":[],\"Galaxy\":[],\"Object\":[],\"EventReport\":[],\"Tag\":[{\"id\":\"3\",\"name\":\"tlp:white\",\"colour\":\"#ffffff\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0}]}}", - "type": [ - "indicator" - ] - }, - "misp": { - "attribute": { - "category": "Artifacts dropped", - "comment": "", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "22", - "id": "12298", - "object_id": "0", - "sharing_group_id": "0", - "timestamp": "2016-02-23T22:27:34.000Z", - "to_ids": true, - "type": "regkey", - "uuid": "56ccdcd6-f4b8-4383-9624-52849062e56a" - }, - "event": { - "attribute_count": 133, - "date": "2015-12-08", - "disable_correlation": false, - "distribution": 3, - "extends_uuid": "", - "id": "22", - "info": "Packrat: Seven Years of a South American Threat Actor", - "locked": false, - "org_id": "1", - "orgc_id": "4", - "proposal_email_lock": false, - "publish_timestamp": "2021-01-14T15:25:01.000Z", - "published": true, - "sharing_group_id": "0", - "threat_level_id": 3, - "uuid": "56ccdcaf-f7e4-40d8-bca1-51299062e56a" - }, - "orgc": { - "id": "4", - "local": false, - "name": "CUDESO", - "uuid": "56c42374-fdb8-4544-a218-41ffc0a8ab16" - } - }, - "tags": [ - "preserve_original_event", - "tlp:white" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "marking": { - "tlp": [ - "WHITE" - ] - }, - "provider": "misp", - "registry": { - "key": "HKLM\\SOFTWARE\\Microsoft\\Active" - }, - "scanner_stats": 2, - "type": "windows-registry-key" - } - } - }, - { - "@timestamp": "2020-12-13T14:03:16.000Z", - "ecs": { - "version": "8.9.0" - }, - "event": { - "category": [ - "threat" - ], - "kind": "enrichment", - "original": "{\"Event\":{\"id\":\"10\",\"orgc_id\":\"4\",\"org_id\":\"1\",\"date\":\"2020-12-09\",\"threat_level_id\":\"3\",\"info\":\"Recent Qakbot (Qbot) activity\",\"published\":true,\"uuid\":\"5fd0c599-ab6c-4ba1-a69a-df9ec0a8ab16\",\"attribute_count\":\"15\",\"analysis\":\"2\",\"timestamp\":\"1607868196\",\"distribution\":\"3\",\"proposal_email_lock\":false,\"locked\":false,\"publish_timestamp\":\"1610637888\",\"sharing_group_id\":\"0\",\"disable_correlation\":false,\"extends_uuid\":\"\",\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\",\"local\":true},\"Orgc\":{\"id\":\"4\",\"name\":\"CUDESO\",\"uuid\":\"56c42374-fdb8-4544-a218-41ffc0a8ab16\",\"local\":false},\"Attribute\":{\"id\":\"10686\",\"type\":\"ip-dst|port\",\"category\":\"Network activity\",\"to_ids\":true,\"uuid\":\"5fd0c620-a844-4ace-9710-a37bc0a8ab16\",\"event_id\":\"10\",\"distribution\":\"5\",\"timestamp\":\"1607517728\",\"comment\":\"On port 2222\",\"sharing_group_id\":\"0\",\"deleted\":false,\"disable_correlation\":false,\"object_id\":\"0\",\"object_relation\":null,\"first_seen\":null,\"last_seen\":null,\"value\":\"89.160.20.156|2222\",\"Galaxy\":[],\"ShadowAttribute\":[]},\"ShadowAttribute\":[],\"RelatedEvent\":[],\"Galaxy\":[],\"Object\":[],\"EventReport\":[],\"Tag\":[{\"id\":\"3\",\"name\":\"tlp:white\",\"colour\":\"#ffffff\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0},{\"id\":\"6\",\"name\":\"misp-galaxy:banker=\\\"Qakbot\\\"\",\"colour\":\"#0088cc\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":true,\"is_custom_galaxy\":false,\"local\":0}]}}", - "type": [ - "indicator" - ] - }, - "misp": { - "attribute": { - "category": "Network activity", - "comment": "On port 2222", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "10", - "id": "10686", - "object_id": "0", - "sharing_group_id": "0", - "timestamp": "2020-12-09T12:42:08.000Z", - "to_ids": true, - "type": "ip-dst|port", - "uuid": "5fd0c620-a844-4ace-9710-a37bc0a8ab16" - }, - "event": { - "attribute_count": 15, - "date": "2020-12-09", - "disable_correlation": false, - "distribution": 3, - "extends_uuid": "", - "id": "10", - "info": "Recent Qakbot (Qbot) activity", - "locked": false, - "org_id": "1", - "orgc_id": "4", - "proposal_email_lock": false, - "publish_timestamp": "2021-01-14T15:24:48.000Z", - "published": true, - "sharing_group_id": "0", - "threat_level_id": 3, - "uuid": "5fd0c599-ab6c-4ba1-a69a-df9ec0a8ab16" - }, - "orgc": { - "id": "4", - "local": false, - "name": "CUDESO", - "uuid": "56c42374-fdb8-4544-a218-41ffc0a8ab16" - } - }, - "tags": [ - "preserve_original_event", - "tlp:white", - "misp-galaxy:banker=Qakbot" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "ip": "89.160.20.156", - "marking": { - "tlp": [ - "WHITE" - ] - }, - "port": 2222, - "provider": "misp", - "scanner_stats": 2, - "type": "ipv4-addr" - } - } - }, - null - ] -} \ No newline at end of file diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat/elasticsearch/ingest_pipeline/default.yml b/test/packages/with-logstash/ti_misp/data_stream/threat/elasticsearch/ingest_pipeline/default.yml index 3a5a5b91db..2654b19845 100644 --- a/test/packages/with-logstash/ti_misp/data_stream/threat/elasticsearch/ingest_pipeline/default.yml +++ b/test/packages/with-logstash/ti_misp/data_stream/threat/elasticsearch/ingest_pipeline/default.yml @@ -6,7 +6,7 @@ processors: #################### - set: field: ecs.version - value: '8.9.0' + value: '8.10.0' - set: field: event.kind value: enrichment diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat/fields/base-fields.yml b/test/packages/with-logstash/ti_misp/data_stream/threat/fields/base-fields.yml index 4e58dd4312..337375ce74 100644 --- a/test/packages/with-logstash/ti_misp/data_stream/threat/fields/base-fields.yml +++ b/test/packages/with-logstash/ti_misp/data_stream/threat/fields/base-fields.yml @@ -26,6 +26,3 @@ - name: "@timestamp" type: date description: Event timestamp. -- name: "@version" - type: text - description: Event version. diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat/sample_event.json b/test/packages/with-logstash/ti_misp/data_stream/threat/sample_event.json index 271f4a099f..248dcb4528 100644 --- a/test/packages/with-logstash/ti_misp/data_stream/threat/sample_event.json +++ b/test/packages/with-logstash/ti_misp/data_stream/threat/sample_event.json @@ -13,7 +13,7 @@ "type": "logs" }, "ecs": { - "version": "8.9.0" + "version": "8.10.0" }, "elastic_agent": { "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/_dev/test/pipeline/test-common-config.yml b/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/_dev/test/pipeline/test-common-config.yml deleted file mode 100644 index 4da2264165..0000000000 --- a/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/_dev/test/pipeline/test-common-config.yml +++ /dev/null @@ -1,3 +0,0 @@ -fields: - tags: - - preserve_original_event diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/_dev/test/pipeline/test-misp-sample-ndjson.log b/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/_dev/test/pipeline/test-misp-sample-ndjson.log deleted file mode 100644 index c6ce1d24c8..0000000000 --- a/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/_dev/test/pipeline/test-misp-sample-ndjson.log +++ /dev/null @@ -1,12 +0,0 @@ -{"id":"12345","event_id":"12345","object_id":"12345","object_relation":"sensor","category":"Internal reference","type":"md5","value":"127.0.0.1","to_ids":true,"uuid":"c99506a6-1255-4b71-afa5-7b8ba48c3b1b","timestamp":"1617875568","distribution":"0","sharing_group_id":"1","comment":"logged source ip","deleted":false,"disable_correlation":false,"first_seen":"1581984000000000","last_seen":"1581984000000000","data":"string","event_uuid":"c99506a6-1255-4b71-afa5-7b8ba48c3b1b","decay_score":[{"score":10.5,"base_score":80,"decayed":true,"DecayingModel":{"id":"12345","name":"Phishing model"}}],"Event":{"id":"12345","org_id":"12345","distribution":"0","info":"logged source ip","orgc_id":"12345","uuid":"c99506a6-1255-4b71-afa5-7b8ba48c3b1b","date":"1991-01-15","published":false,"analysis":"0","attribute_count":"321","timestamp":"1617875568","sharing_group_id":"1","proposal_email_lock":true,"locked":true,"threat_level_id":"1","publish_timestamp":"1617875568","sighting_timestamp":"1617875568","disable_correlation":false,"extends_uuid":"c99506a6-1255-4b71-afa5-7b8ba48c3b1b","event_creator_email":"user@example.com"},"Object":{"id":"12345","name":"ail-leak","meta-category":"string","description":"string","template_uuid":"c99506a6-1255-4b71-afa5-7b8ba48c3b1b","template_version":"1","event_id":"12345","uuid":"c99506a6-1255-4b71-afa5-7b8ba48c3b1b","timestamp":"1617875568","distribution":"0","sharing_group_id":"1","comment":"string","deleted":true,"first_seen":"1581984000000000","last_seen":"1581984000000000","Attribute":[{"id":"12345","event_id":"12345","object_id":"12345","object_relation":"sensor","category":"Internal reference","type":"md5","value":"127.0.0.1","to_ids":true,"uuid":"c99506a6-1255-4b71-afa5-7b8ba48c3b1b","timestamp":"1617875568","distribution":"0","sharing_group_id":"1","comment":"logged source ip","deleted":false,"disable_correlation":false,"first_seen":"1581984000000000","last_seen":"1581984000000000"}]},"Tag":[{"id":"12345","name":"tlp:white","colour":"#ffffff","exportable":true,"org_id":"12345","user_id":"12345","hide_tag":false,"numerical_value":"12345","is_galaxy":true,"is_custom_galaxy":true,"inherited":1}]} -{"id":"1","event_id":"1","object_id":"0","object_relation":null,"category":"External analysis","type":"link","to_ids":false,"uuid":"542e4cbd-ee78-4a57-bfb8-1fda950d210b","timestamp":"1412320445","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"http://labs.opendns.com/2014/10/02/opendns-and-bash/","Event":{"org_id":"1","distribution":"3","id":"1","info":"OSINT ShellShock scanning IPs from OpenDNS","orgc_id":"2","uuid":"542e4c9c-cadc-4f8f-bb11-6d13950d210b"}} -{"id":"4","event_id":"1","object_id":"0","object_relation":null,"category":"External analysis","type":"text","to_ids":false,"uuid":"542e4ccc-b8fc-44af-959d-6ead950d210b","timestamp":"1412320460","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"Shellshock","Event":{"org_id":"1","distribution":"3","id":"1","info":"OSINT ShellShock scanning IPs from OpenDNS","orgc_id":"2","uuid":"542e4c9c-cadc-4f8f-bb11-6d13950d210b"}} -{"id":"5","event_id":"1","object_id":"0","object_relation":null,"category":"External analysis","type":"comment","to_ids":false,"uuid":"542e4ce7-6120-41c0-8793-e90e950d210b","timestamp":"1412320487","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"Data encoded by David André","Event":{"org_id":"1","distribution":"3","id":"1","info":"OSINT ShellShock scanning IPs from OpenDNS","orgc_id":"2","uuid":"542e4c9c-cadc-4f8f-bb11-6d13950d210b"}} -{"id":"6","event_id":"1","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-src","to_ids":true,"uuid":"542e4cfe-21ac-46a7-9d82-06b3950d210b","timestamp":"1412320510","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"81.2.69.193","Event":{"org_id":"1","distribution":"3","id":"1","info":"OSINT ShellShock scanning IPs from OpenDNS","orgc_id":"2","uuid":"542e4c9c-cadc-4f8f-bb11-6d13950d210b"}} -{"id":"10","event_id":"1","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-src","to_ids":true,"uuid":"542e4cfe-7a98-4c98-a862-06b3950d210b","timestamp":"1412320510","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"81.2.69.145","Event":{"org_id":"1","distribution":"3","id":"1","info":"OSINT ShellShock scanning IPs from OpenDNS","orgc_id":"2","uuid":"542e4c9c-cadc-4f8f-bb11-6d13950d210b"}} -{"id":"35744","event_id":"29","object_id":"0","object_relation":null,"category":"Artifacts dropped","type":"filename|sha256","to_ids":true,"uuid":"54744143-fc88-4508-bf10-458d950d210b","timestamp":"1416905027","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"7553d4a5914af58b23a9e0ce6a262cd230ed8bb2c30da3d42d26b295f9144ab7|7553d4a5914af58b23a9e0ce6a262cd230ed8bb2c30da3d42d26b295f9144ab7","Event":{"org_id":"1","distribution":"3","id":"29","info":"Secret Malware in European Union Attack Linked to U.S. and British Intelligence article by the Intercept","orgc_id":"2","uuid":"54743eaf-e1c0-47a0-b838-49d7950d210b"}} -{"id":"35961","event_id":"31","object_id":"0","object_relation":null,"category":"Artifacts dropped","type":"filename|md5","to_ids":true,"uuid":"56c6482a-ceb8-4402-8480-599f950d210f","timestamp":"1455835178","distribution":"5","sharing_group_id":"0","comment":"Automatically added (via VirusShare_1f36209c1763d31af06a66f866dbb7b6|01764db54541ced228a598fe020b3971f5ef82d7)","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"VirusShare_1f36209c1763d31af06a66f866dbb7b6|1f36209c1763d31af06a66f866dbb7b6","Event":{"org_id":"1","distribution":"3","id":"31","info":"OSINT Regin samples shared by VirusShare","orgc_id":"2","uuid":"5476c461-5930-4ddb-8d40-d4ad950d210b"}} -{"id":"37412","event_id":"44","object_id":"0","object_relation":null,"category":"Artifacts dropped","type":"regkey","to_ids":true,"uuid":"54cb360e-7f00-4311-aed4-4505950d210b","timestamp":"1422603790","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\f0xy","Event":{"org_id":"1","distribution":"3","id":"44","info":"OSINT New 'f0xy' malware is intelligent - employs cunning stealth & trickery from Websense","orgc_id":"2","uuid":"54cb3580-cde4-4b39-bf8c-443f950d210b"}} -{"id":"40687","event_id":"53","object_id":"0","object_relation":null,"category":"Network activity","type":"AS","to_ids":false,"uuid":"54f86825-c80c-47cf-a795-48c1950d210b","timestamp":"1425565733","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"48031","Event":{"org_id":"1","distribution":"3","id":"53","info":"OSINT Analysis of malcious CHM file by OpenDNS","orgc_id":"2","uuid":"54f8662f-c7f0-4f59-a42a-a9a9950d210b"}} -{"id":"1084","event_id":"2","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"54324081-3308-4f1f-8674-4953950d210b","timestamp":"1412579457","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"89.160.20.129","Event":{"org_id":"1","distribution":"3","id":"2","info":"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks","orgc_id":"2","uuid":"54323f2c-e50c-4268-896c-4867950d210b"}} -{"id":"24749","event_id":"10","object_id":"0","object_relation":null,"category":"Network activity","type":"email-dst","to_ids":true,"uuid":"544ff4c2-914c-482f-aa29-4c43950d210b","timestamp":"1414526146","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"lisa.cuddy@wind0ws.kz","Event":{"org_id":"1","distribution":"3","id":"10","info":"OSINT APT28: A Window into Russia’s Cyber Espionage Operations? blog post by FireEye","orgc_id":"2","uuid":"544fee45-f108-4fa6-ace9-3989950d210b"}} diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/_dev/test/pipeline/test-misp-sample-ndjson.log-expected.json b/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/_dev/test/pipeline/test-misp-sample-ndjson.log-expected.json deleted file mode 100644 index fe390ee961..0000000000 --- a/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/_dev/test/pipeline/test-misp-sample-ndjson.log-expected.json +++ /dev/null @@ -1,767 +0,0 @@ -{ - "expected": [ - { - "@timestamp": "2021-04-08T09:52:48.000Z", - "ecs": { - "version": "8.9.0" - }, - "event": { - "category": [ - "threat" - ], - "kind": "enrichment", - "original": "{\"id\":\"12345\",\"event_id\":\"12345\",\"object_id\":\"12345\",\"object_relation\":\"sensor\",\"category\":\"Internal reference\",\"type\":\"md5\",\"value\":\"127.0.0.1\",\"to_ids\":true,\"uuid\":\"c99506a6-1255-4b71-afa5-7b8ba48c3b1b\",\"timestamp\":\"1617875568\",\"distribution\":\"0\",\"sharing_group_id\":\"1\",\"comment\":\"logged source ip\",\"deleted\":false,\"disable_correlation\":false,\"first_seen\":\"1581984000000000\",\"last_seen\":\"1581984000000000\",\"data\":\"string\",\"event_uuid\":\"c99506a6-1255-4b71-afa5-7b8ba48c3b1b\",\"decay_score\":[{\"score\":10.5,\"base_score\":80,\"decayed\":true,\"DecayingModel\":{\"id\":\"12345\",\"name\":\"Phishing model\"}}],\"Event\":{\"id\":\"12345\",\"org_id\":\"12345\",\"distribution\":\"0\",\"info\":\"logged source ip\",\"orgc_id\":\"12345\",\"uuid\":\"c99506a6-1255-4b71-afa5-7b8ba48c3b1b\",\"date\":\"1991-01-15\",\"published\":false,\"analysis\":\"0\",\"attribute_count\":\"321\",\"timestamp\":\"1617875568\",\"sharing_group_id\":\"1\",\"proposal_email_lock\":true,\"locked\":true,\"threat_level_id\":\"1\",\"publish_timestamp\":\"1617875568\",\"sighting_timestamp\":\"1617875568\",\"disable_correlation\":false,\"extends_uuid\":\"c99506a6-1255-4b71-afa5-7b8ba48c3b1b\",\"event_creator_email\":\"user@example.com\"},\"Object\":{\"id\":\"12345\",\"name\":\"ail-leak\",\"meta-category\":\"string\",\"description\":\"string\",\"template_uuid\":\"c99506a6-1255-4b71-afa5-7b8ba48c3b1b\",\"template_version\":\"1\",\"event_id\":\"12345\",\"uuid\":\"c99506a6-1255-4b71-afa5-7b8ba48c3b1b\",\"timestamp\":\"1617875568\",\"distribution\":\"0\",\"sharing_group_id\":\"1\",\"comment\":\"string\",\"deleted\":true,\"first_seen\":\"1581984000000000\",\"last_seen\":\"1581984000000000\",\"Attribute\":[{\"id\":\"12345\",\"event_id\":\"12345\",\"object_id\":\"12345\",\"object_relation\":\"sensor\",\"category\":\"Internal reference\",\"type\":\"md5\",\"value\":\"127.0.0.1\",\"to_ids\":true,\"uuid\":\"c99506a6-1255-4b71-afa5-7b8ba48c3b1b\",\"timestamp\":\"1617875568\",\"distribution\":\"0\",\"sharing_group_id\":\"1\",\"comment\":\"logged source ip\",\"deleted\":false,\"disable_correlation\":false,\"first_seen\":\"1581984000000000\",\"last_seen\":\"1581984000000000\"}]},\"Tag\":[{\"id\":\"12345\",\"name\":\"tlp:white\",\"colour\":\"#ffffff\",\"exportable\":true,\"org_id\":\"12345\",\"user_id\":\"12345\",\"hide_tag\":false,\"numerical_value\":\"12345\",\"is_galaxy\":true,\"is_custom_galaxy\":true,\"inherited\":1}]}", - "type": [ - "indicator" - ] - }, - "misp": { - "attribute": { - "category": "Internal reference", - "comment": "logged source ip", - "data": "string", - "decay_score": [ - { - "base_score": 80, - "decayed": true, - "decaying_model": { - "id": "12345", - "name": "Phishing model" - }, - "score": 10.5 - } - ], - "deleted": false, - "disable_correlation": false, - "distribution": 0, - "event_id": "12345", - "event_uuid": "c99506a6-1255-4b71-afa5-7b8ba48c3b1b", - "id": "12345", - "object_id": "12345", - "object_relation": "sensor", - "sharing_group_id": "1", - "to_ids": true, - "type": "md5", - "uuid": "c99506a6-1255-4b71-afa5-7b8ba48c3b1b" - }, - "event": { - "attribute_count": 321, - "date": "1991-01-15", - "disable_correlation": false, - "distribution": 0, - "extends_uuid": "c99506a6-1255-4b71-afa5-7b8ba48c3b1b", - "id": "12345", - "info": "logged source ip", - "locked": true, - "orgc_id": "12345", - "proposal_email_lock": true, - "publish_timestamp": "2021-04-08T09:52:48.000Z", - "published": false, - "sharing_group_id": "1", - "sighting_timestamp": "2021-04-08T09:52:48.000Z", - "threat_level_id": 1, - "timestamp": "2021-04-08T09:52:48.000Z", - "uuid": "c99506a6-1255-4b71-afa5-7b8ba48c3b1b" - }, - "object": { - "attribute": [ - { - "category": "Internal reference", - "comment": "logged source ip", - "deleted": false, - "disable_correlation": false, - "distribution": "0", - "event_id": "12345", - "first_seen": "1581984000000000", - "id": "12345", - "last_seen": "1581984000000000", - "object_id": "12345", - "object_relation": "sensor", - "sharing_group_id": "1", - "timestamp": "2021-04-08T09:52:48.000Z", - "to_ids": true, - "type": "md5", - "uuid": "c99506a6-1255-4b71-afa5-7b8ba48c3b1b", - "value": "127.0.0.1" - } - ], - "comment": "string", - "deleted": true, - "description": "string", - "distribution": 0, - "event_id": "12345", - "first_seen": "1581984000000000", - "id": "12345", - "last_seen": "1581984000000000", - "meta_category": "string", - "name": "ail-leak", - "sharing_group_id": "1", - "template_uuid": "c99506a6-1255-4b71-afa5-7b8ba48c3b1b", - "template_version": "1", - "timestamp": "2021-04-08T09:52:48.000Z", - "uuid": "c99506a6-1255-4b71-afa5-7b8ba48c3b1b" - } - }, - "organization": { - "id": "12345" - }, - "tags": [ - "preserve_original_event", - "tlp:white" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "file": { - "hash": { - "md5": "127.0.0.1" - } - }, - "first_seen": "1581984000000000", - "last_seen": "1581984000000000", - "marking": { - "tlp": [ - "WHITE" - ] - }, - "provider": "misp", - "scanner_stats": 0, - "type": "file" - } - }, - "user": { - "email": "user@example.com", - "roles": [ - "reporting_user" - ] - } - }, - { - "@timestamp": "2014-10-03T07:14:05.000Z", - "ecs": { - "version": "8.9.0" - }, - "event": { - "category": [ - "threat" - ], - "kind": "enrichment", - "original": "{\"id\":\"1\",\"event_id\":\"1\",\"object_id\":\"0\",\"object_relation\":null,\"category\":\"External analysis\",\"type\":\"link\",\"to_ids\":false,\"uuid\":\"542e4cbd-ee78-4a57-bfb8-1fda950d210b\",\"timestamp\":\"1412320445\",\"distribution\":\"5\",\"sharing_group_id\":\"0\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"first_seen\":null,\"last_seen\":null,\"value\":\"http://labs.opendns.com/2014/10/02/opendns-and-bash/\",\"Event\":{\"org_id\":\"1\",\"distribution\":\"3\",\"id\":\"1\",\"info\":\"OSINT ShellShock scanning IPs from OpenDNS\",\"orgc_id\":\"2\",\"uuid\":\"542e4c9c-cadc-4f8f-bb11-6d13950d210b\"}}", - "type": [ - "indicator" - ] - }, - "misp": { - "attribute": { - "category": "External analysis", - "comment": "", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "1", - "id": "1", - "object_id": "0", - "sharing_group_id": "0", - "to_ids": false, - "type": "link", - "uuid": "542e4cbd-ee78-4a57-bfb8-1fda950d210b" - }, - "event": { - "distribution": 3, - "id": "1", - "info": "OSINT ShellShock scanning IPs from OpenDNS", - "orgc_id": "2", - "uuid": "542e4c9c-cadc-4f8f-bb11-6d13950d210b" - } - }, - "organization": { - "id": "1" - }, - "tags": [ - "preserve_original_event" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "provider": "misp", - "type": "url", - "url": { - "domain": "labs.opendns.com", - "full": "http://labs.opendns.com/2014/10/02/opendns-and-bash/", - "original": "http://labs.opendns.com/2014/10/02/opendns-and-bash/", - "path": "/2014/10/02/opendns-and-bash/", - "scheme": "http" - } - } - } - }, - { - "@timestamp": "2014-10-03T07:14:20.000Z", - "ecs": { - "version": "8.9.0" - }, - "event": { - "category": [ - "threat" - ], - "kind": "enrichment", - "original": "{\"id\":\"4\",\"event_id\":\"1\",\"object_id\":\"0\",\"object_relation\":null,\"category\":\"External analysis\",\"type\":\"text\",\"to_ids\":false,\"uuid\":\"542e4ccc-b8fc-44af-959d-6ead950d210b\",\"timestamp\":\"1412320460\",\"distribution\":\"5\",\"sharing_group_id\":\"0\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"first_seen\":null,\"last_seen\":null,\"value\":\"Shellshock\",\"Event\":{\"org_id\":\"1\",\"distribution\":\"3\",\"id\":\"1\",\"info\":\"OSINT ShellShock scanning IPs from OpenDNS\",\"orgc_id\":\"2\",\"uuid\":\"542e4c9c-cadc-4f8f-bb11-6d13950d210b\"}}", - "type": [ - "indicator" - ] - }, - "misp": { - "attribute": { - "category": "External analysis", - "comment": "", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "1", - "id": "4", - "object_id": "0", - "sharing_group_id": "0", - "to_ids": false, - "type": "text", - "uuid": "542e4ccc-b8fc-44af-959d-6ead950d210b", - "value": "Shellshock" - }, - "event": { - "distribution": 3, - "id": "1", - "info": "OSINT ShellShock scanning IPs from OpenDNS", - "orgc_id": "2", - "uuid": "542e4c9c-cadc-4f8f-bb11-6d13950d210b" - } - }, - "organization": { - "id": "1" - }, - "tags": [ - "preserve_original_event" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "provider": "misp" - } - } - }, - { - "@timestamp": "2014-10-03T07:14:47.000Z", - "ecs": { - "version": "8.9.0" - }, - "event": { - "category": [ - "threat" - ], - "kind": "enrichment", - "original": "{\"id\":\"5\",\"event_id\":\"1\",\"object_id\":\"0\",\"object_relation\":null,\"category\":\"External analysis\",\"type\":\"comment\",\"to_ids\":false,\"uuid\":\"542e4ce7-6120-41c0-8793-e90e950d210b\",\"timestamp\":\"1412320487\",\"distribution\":\"5\",\"sharing_group_id\":\"0\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"first_seen\":null,\"last_seen\":null,\"value\":\"Data encoded by David André\",\"Event\":{\"org_id\":\"1\",\"distribution\":\"3\",\"id\":\"1\",\"info\":\"OSINT ShellShock scanning IPs from OpenDNS\",\"orgc_id\":\"2\",\"uuid\":\"542e4c9c-cadc-4f8f-bb11-6d13950d210b\"}}", - "type": [ - "indicator" - ] - }, - "misp": { - "attribute": { - "category": "External analysis", - "comment": "", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "1", - "id": "5", - "object_id": "0", - "sharing_group_id": "0", - "to_ids": false, - "type": "comment", - "uuid": "542e4ce7-6120-41c0-8793-e90e950d210b", - "value": "Data encoded by David André" - }, - "event": { - "distribution": 3, - "id": "1", - "info": "OSINT ShellShock scanning IPs from OpenDNS", - "orgc_id": "2", - "uuid": "542e4c9c-cadc-4f8f-bb11-6d13950d210b" - } - }, - "organization": { - "id": "1" - }, - "tags": [ - "preserve_original_event" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "provider": "misp" - } - } - }, - { - "@timestamp": "2014-10-03T07:15:10.000Z", - "ecs": { - "version": "8.9.0" - }, - "event": { - "category": [ - "threat" - ], - "kind": "enrichment", - "original": "{\"id\":\"6\",\"event_id\":\"1\",\"object_id\":\"0\",\"object_relation\":null,\"category\":\"Network activity\",\"type\":\"ip-src\",\"to_ids\":true,\"uuid\":\"542e4cfe-21ac-46a7-9d82-06b3950d210b\",\"timestamp\":\"1412320510\",\"distribution\":\"5\",\"sharing_group_id\":\"0\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"first_seen\":null,\"last_seen\":null,\"value\":\"81.2.69.193\",\"Event\":{\"org_id\":\"1\",\"distribution\":\"3\",\"id\":\"1\",\"info\":\"OSINT ShellShock scanning IPs from OpenDNS\",\"orgc_id\":\"2\",\"uuid\":\"542e4c9c-cadc-4f8f-bb11-6d13950d210b\"}}", - "type": [ - "indicator" - ] - }, - "misp": { - "attribute": { - "category": "Network activity", - "comment": "", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "1", - "id": "6", - "object_id": "0", - "sharing_group_id": "0", - "to_ids": true, - "type": "ip-src", - "uuid": "542e4cfe-21ac-46a7-9d82-06b3950d210b" - }, - "event": { - "distribution": 3, - "id": "1", - "info": "OSINT ShellShock scanning IPs from OpenDNS", - "orgc_id": "2", - "uuid": "542e4c9c-cadc-4f8f-bb11-6d13950d210b" - } - }, - "organization": { - "id": "1" - }, - "tags": [ - "preserve_original_event" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "ip": "81.2.69.193", - "provider": "misp", - "type": "ipv4-addr" - } - } - }, - { - "@timestamp": "2014-10-03T07:15:10.000Z", - "ecs": { - "version": "8.9.0" - }, - "event": { - "category": [ - "threat" - ], - "kind": "enrichment", - "original": "{\"id\":\"10\",\"event_id\":\"1\",\"object_id\":\"0\",\"object_relation\":null,\"category\":\"Network activity\",\"type\":\"ip-src\",\"to_ids\":true,\"uuid\":\"542e4cfe-7a98-4c98-a862-06b3950d210b\",\"timestamp\":\"1412320510\",\"distribution\":\"5\",\"sharing_group_id\":\"0\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"first_seen\":null,\"last_seen\":null,\"value\":\"81.2.69.145\",\"Event\":{\"org_id\":\"1\",\"distribution\":\"3\",\"id\":\"1\",\"info\":\"OSINT ShellShock scanning IPs from OpenDNS\",\"orgc_id\":\"2\",\"uuid\":\"542e4c9c-cadc-4f8f-bb11-6d13950d210b\"}}", - "type": [ - "indicator" - ] - }, - "misp": { - "attribute": { - "category": "Network activity", - "comment": "", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "1", - "id": "10", - "object_id": "0", - "sharing_group_id": "0", - "to_ids": true, - "type": "ip-src", - "uuid": "542e4cfe-7a98-4c98-a862-06b3950d210b" - }, - "event": { - "distribution": 3, - "id": "1", - "info": "OSINT ShellShock scanning IPs from OpenDNS", - "orgc_id": "2", - "uuid": "542e4c9c-cadc-4f8f-bb11-6d13950d210b" - } - }, - "organization": { - "id": "1" - }, - "tags": [ - "preserve_original_event" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "ip": "81.2.69.145", - "provider": "misp", - "type": "ipv4-addr" - } - } - }, - { - "@timestamp": "2014-11-25T08:43:47.000Z", - "ecs": { - "version": "8.9.0" - }, - "event": { - "category": [ - "threat" - ], - "kind": "enrichment", - "original": "{\"id\":\"35744\",\"event_id\":\"29\",\"object_id\":\"0\",\"object_relation\":null,\"category\":\"Artifacts dropped\",\"type\":\"filename|sha256\",\"to_ids\":true,\"uuid\":\"54744143-fc88-4508-bf10-458d950d210b\",\"timestamp\":\"1416905027\",\"distribution\":\"5\",\"sharing_group_id\":\"0\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"first_seen\":null,\"last_seen\":null,\"value\":\"7553d4a5914af58b23a9e0ce6a262cd230ed8bb2c30da3d42d26b295f9144ab7|7553d4a5914af58b23a9e0ce6a262cd230ed8bb2c30da3d42d26b295f9144ab7\",\"Event\":{\"org_id\":\"1\",\"distribution\":\"3\",\"id\":\"29\",\"info\":\"Secret Malware in European Union Attack Linked to U.S. and British Intelligence article by the Intercept\",\"orgc_id\":\"2\",\"uuid\":\"54743eaf-e1c0-47a0-b838-49d7950d210b\"}}", - "type": [ - "indicator" - ] - }, - "misp": { - "attribute": { - "category": "Artifacts dropped", - "comment": "", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "29", - "id": "35744", - "object_id": "0", - "sharing_group_id": "0", - "to_ids": true, - "type": "filename|sha256", - "uuid": "54744143-fc88-4508-bf10-458d950d210b" - }, - "event": { - "distribution": 3, - "id": "29", - "info": "Secret Malware in European Union Attack Linked to U.S. and British Intelligence article by the Intercept", - "orgc_id": "2", - "uuid": "54743eaf-e1c0-47a0-b838-49d7950d210b" - } - }, - "organization": { - "id": "1" - }, - "tags": [ - "preserve_original_event" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "file": { - "hash": { - "sha256": "7553d4a5914af58b23a9e0ce6a262cd230ed8bb2c30da3d42d26b295f9144ab7" - }, - "name": "7553d4a5914af58b23a9e0ce6a262cd230ed8bb2c30da3d42d26b295f9144ab7" - }, - "provider": "misp", - "type": "file" - } - } - }, - { - "@timestamp": "2016-02-18T22:39:38.000Z", - "ecs": { - "version": "8.9.0" - }, - "event": { - "category": [ - "threat" - ], - "kind": "enrichment", - "original": "{\"id\":\"35961\",\"event_id\":\"31\",\"object_id\":\"0\",\"object_relation\":null,\"category\":\"Artifacts dropped\",\"type\":\"filename|md5\",\"to_ids\":true,\"uuid\":\"56c6482a-ceb8-4402-8480-599f950d210f\",\"timestamp\":\"1455835178\",\"distribution\":\"5\",\"sharing_group_id\":\"0\",\"comment\":\"Automatically added (via VirusShare_1f36209c1763d31af06a66f866dbb7b6|01764db54541ced228a598fe020b3971f5ef82d7)\",\"deleted\":false,\"disable_correlation\":false,\"first_seen\":null,\"last_seen\":null,\"value\":\"VirusShare_1f36209c1763d31af06a66f866dbb7b6|1f36209c1763d31af06a66f866dbb7b6\",\"Event\":{\"org_id\":\"1\",\"distribution\":\"3\",\"id\":\"31\",\"info\":\"OSINT Regin samples shared by VirusShare\",\"orgc_id\":\"2\",\"uuid\":\"5476c461-5930-4ddb-8d40-d4ad950d210b\"}}", - "type": [ - "indicator" - ] - }, - "misp": { - "attribute": { - "category": "Artifacts dropped", - "comment": "Automatically added (via VirusShare_1f36209c1763d31af06a66f866dbb7b6|01764db54541ced228a598fe020b3971f5ef82d7)", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "31", - "id": "35961", - "object_id": "0", - "sharing_group_id": "0", - "to_ids": true, - "type": "filename|md5", - "uuid": "56c6482a-ceb8-4402-8480-599f950d210f" - }, - "event": { - "distribution": 3, - "id": "31", - "info": "OSINT Regin samples shared by VirusShare", - "orgc_id": "2", - "uuid": "5476c461-5930-4ddb-8d40-d4ad950d210b" - } - }, - "organization": { - "id": "1" - }, - "tags": [ - "preserve_original_event" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "file": { - "hash": { - "md5": "1f36209c1763d31af06a66f866dbb7b6" - }, - "name": "VirusShare_1f36209c1763d31af06a66f866dbb7b6" - }, - "provider": "misp", - "type": "file" - } - } - }, - { - "@timestamp": "2015-01-30T07:43:10.000Z", - "ecs": { - "version": "8.9.0" - }, - "event": { - "category": [ - "threat" - ], - "kind": "enrichment", - "original": "{\"id\":\"37412\",\"event_id\":\"44\",\"object_id\":\"0\",\"object_relation\":null,\"category\":\"Artifacts dropped\",\"type\":\"regkey\",\"to_ids\":true,\"uuid\":\"54cb360e-7f00-4311-aed4-4505950d210b\",\"timestamp\":\"1422603790\",\"distribution\":\"5\",\"sharing_group_id\":\"0\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"first_seen\":null,\"last_seen\":null,\"value\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\f0xy\",\"Event\":{\"org_id\":\"1\",\"distribution\":\"3\",\"id\":\"44\",\"info\":\"OSINT New 'f0xy' malware is intelligent - employs cunning stealth \u0026 trickery from Websense\",\"orgc_id\":\"2\",\"uuid\":\"54cb3580-cde4-4b39-bf8c-443f950d210b\"}}", - "type": [ - "indicator" - ] - }, - "misp": { - "attribute": { - "category": "Artifacts dropped", - "comment": "", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "44", - "id": "37412", - "object_id": "0", - "sharing_group_id": "0", - "to_ids": true, - "type": "regkey", - "uuid": "54cb360e-7f00-4311-aed4-4505950d210b" - }, - "event": { - "distribution": 3, - "id": "44", - "info": "OSINT New 'f0xy' malware is intelligent - employs cunning stealth \u0026 trickery from Websense", - "orgc_id": "2", - "uuid": "54cb3580-cde4-4b39-bf8c-443f950d210b" - } - }, - "organization": { - "id": "1" - }, - "tags": [ - "preserve_original_event" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "provider": "misp", - "registry": { - "key": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\f0xy" - }, - "type": "windows-registry-key" - } - } - }, - { - "@timestamp": "2015-03-05T14:28:53.000Z", - "ecs": { - "version": "8.9.0" - }, - "event": { - "category": [ - "threat" - ], - "kind": "enrichment", - "original": "{\"id\":\"40687\",\"event_id\":\"53\",\"object_id\":\"0\",\"object_relation\":null,\"category\":\"Network activity\",\"type\":\"AS\",\"to_ids\":false,\"uuid\":\"54f86825-c80c-47cf-a795-48c1950d210b\",\"timestamp\":\"1425565733\",\"distribution\":\"5\",\"sharing_group_id\":\"0\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"first_seen\":null,\"last_seen\":null,\"value\":\"48031\",\"Event\":{\"org_id\":\"1\",\"distribution\":\"3\",\"id\":\"53\",\"info\":\"OSINT Analysis of malcious CHM file by OpenDNS\",\"orgc_id\":\"2\",\"uuid\":\"54f8662f-c7f0-4f59-a42a-a9a9950d210b\"}}", - "type": [ - "indicator" - ] - }, - "misp": { - "attribute": { - "category": "Network activity", - "comment": "", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "53", - "id": "40687", - "object_id": "0", - "sharing_group_id": "0", - "to_ids": false, - "type": "AS", - "uuid": "54f86825-c80c-47cf-a795-48c1950d210b" - }, - "event": { - "distribution": 3, - "id": "53", - "info": "OSINT Analysis of malcious CHM file by OpenDNS", - "orgc_id": "2", - "uuid": "54f8662f-c7f0-4f59-a42a-a9a9950d210b" - } - }, - "organization": { - "id": "1" - }, - "tags": [ - "preserve_original_event" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "as": { - "number": 48031 - }, - "provider": "misp", - "type": "autonomous-system" - } - } - }, - { - "@timestamp": "2014-10-06T07:10:57.000Z", - "ecs": { - "version": "8.9.0" - }, - "event": { - "category": [ - "threat" - ], - "kind": "enrichment", - "original": "{\"id\":\"1084\",\"event_id\":\"2\",\"object_id\":\"0\",\"object_relation\":null,\"category\":\"Network activity\",\"type\":\"ip-dst\",\"to_ids\":true,\"uuid\":\"54324081-3308-4f1f-8674-4953950d210b\",\"timestamp\":\"1412579457\",\"distribution\":\"5\",\"sharing_group_id\":\"0\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"first_seen\":null,\"last_seen\":null,\"value\":\"89.160.20.129\",\"Event\":{\"org_id\":\"1\",\"distribution\":\"3\",\"id\":\"2\",\"info\":\"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks\",\"orgc_id\":\"2\",\"uuid\":\"54323f2c-e50c-4268-896c-4867950d210b\"}}", - "type": [ - "indicator" - ] - }, - "misp": { - "attribute": { - "category": "Network activity", - "comment": "", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "2", - "id": "1084", - "object_id": "0", - "sharing_group_id": "0", - "to_ids": true, - "type": "ip-dst", - "uuid": "54324081-3308-4f1f-8674-4953950d210b" - }, - "event": { - "distribution": 3, - "id": "2", - "info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", - "orgc_id": "2", - "uuid": "54323f2c-e50c-4268-896c-4867950d210b" - } - }, - "organization": { - "id": "1" - }, - "tags": [ - "preserve_original_event" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "ip": "89.160.20.129", - "provider": "misp", - "type": "ipv4-addr" - } - } - }, - { - "@timestamp": "2014-10-28T19:55:46.000Z", - "ecs": { - "version": "8.9.0" - }, - "event": { - "category": [ - "threat" - ], - "kind": "enrichment", - "original": "{\"id\":\"24749\",\"event_id\":\"10\",\"object_id\":\"0\",\"object_relation\":null,\"category\":\"Network activity\",\"type\":\"email-dst\",\"to_ids\":true,\"uuid\":\"544ff4c2-914c-482f-aa29-4c43950d210b\",\"timestamp\":\"1414526146\",\"distribution\":\"5\",\"sharing_group_id\":\"0\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"first_seen\":null,\"last_seen\":null,\"value\":\"lisa.cuddy@wind0ws.kz\",\"Event\":{\"org_id\":\"1\",\"distribution\":\"3\",\"id\":\"10\",\"info\":\"OSINT APT28: A Window into Russia’s Cyber Espionage Operations? blog post by FireEye\",\"orgc_id\":\"2\",\"uuid\":\"544fee45-f108-4fa6-ace9-3989950d210b\"}}", - "type": [ - "indicator" - ] - }, - "misp": { - "attribute": { - "category": "Network activity", - "comment": "", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "10", - "id": "24749", - "object_id": "0", - "sharing_group_id": "0", - "to_ids": true, - "type": "email-dst", - "uuid": "544ff4c2-914c-482f-aa29-4c43950d210b" - }, - "event": { - "distribution": 3, - "id": "10", - "info": "OSINT APT28: A Window into Russia’s Cyber Espionage Operations? blog post by FireEye", - "orgc_id": "2", - "uuid": "544fee45-f108-4fa6-ace9-3989950d210b" - } - }, - "organization": { - "id": "1" - }, - "tags": [ - "preserve_original_event" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "email": { - "address": "lisa.cuddy@wind0ws.kz" - }, - "provider": "misp", - "type": "email-addr" - } - } - } - ] -} \ No newline at end of file diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/_dev/test/system/test-default-config.yml b/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/_dev/test/system/test-default-config.yml deleted file mode 100644 index d1cb754892..0000000000 --- a/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/_dev/test/system/test-default-config.yml +++ /dev/null @@ -1,13 +0,0 @@ -input: httpjson -service: misp -vars: ~ -data_stream: - vars: - preserve_original_event: true - url: http://{{Hostname}}:{{Port}} - api_token: test - interval: 10m - initial_interval: 10m - enable_request_tracer: true -assert: - hit_count: 5 diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/agent/stream/httpjson.yml.hbs b/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/agent/stream/httpjson.yml.hbs deleted file mode 100644 index b85674c2b3..0000000000 --- a/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,80 +0,0 @@ -config_version: "2" -interval: {{interval}} -request.method: "POST" -{{#if enable_request_tracer}} -request.tracer.filename: "../../logs/httpjson/http-request-trace-*.ndjson" -{{/if}} -{{#if url}} -request.url: {{url}}/attributes/restSearch -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -{{#if http_client_timeout}} -request.timeout: {{http_client_timeout}} -{{/if}} -{{#if proxy_url}} -request.proxy_url: {{proxy_url}} -{{/if}} -request.body: -{{#if filters}} - {{filters}} -{{/if}} -request.transforms: -{{#if api_token}} -- set: - target: header.Authorization - value: {{api_token}} -{{/if}} -- set: - target: body.page - value: 1 -- set: - target: body.limit - value: 10 -- set: - target: body.returnFormat - value: json -- set: - target: body.timestamp - value: '[[.cursor.timestamp.Unix]]' - default: '[[ (now (parseDuration "-{{initial_interval}}")).Unix ]]' -- set: - # Ignored by MISP, set as a workaround to make it available in response.pagination. - target: url.params.timestamp - value: '[[.body.timestamp]]' - -response.split: - target: body.response.Attribute - ignore_empty_value: true - keep_parent: false -response.request_body_on_pagination: true -response.pagination: -- set: - target: body.page - # Add 2 because the httpjson page counter is zero-based while the MISP page parameter starts at 1. - value: '[[if (ne (len .last_response.body.response.Attribute) 0)]][[add .last_response.page 2]][[end]]' - fail_on_template_error: true -- set: - target: body.timestamp - value: '[[.last_response.url.params.Get "timestamp"]]' -- set: - target: url.params.timestamp - value: '[[.last_response.url.params.Get "timestamp"]]' -cursor: - timestamp: - value: '[[.last_event.Attribute.timestamp]]' -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/elasticsearch/ingest_pipeline/default.yml b/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/elasticsearch/ingest_pipeline/default.yml deleted file mode 100644 index a74f23de39..0000000000 --- a/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,447 +0,0 @@ ---- -description: Pipeline for parsing MISP Threat Intel -processors: - #################### - # Event ECS fields # - #################### - - set: - field: ecs.version - value: '8.9.0' - - set: - field: event.kind - value: enrichment - - set: - field: event.category - value: [threat] - - set: - field: event.type - value: [indicator] - - ###################### - # General ECS fields # - ###################### - - rename: - field: message - target_field: event.original - ignore_missing: true - if: 'ctx.event?.original == null' - description: 'Renames the original `message` field to `event.original` to store a copy of the original message. The `event.original` field is not touched if the document already has one; it may happen when Logstash sends the document.' - - remove: - field: message - ignore_missing: true - if: 'ctx.event?.original != null' - description: 'The `message` field is no longer required if the document has an `event.original` field.' - - json: - field: event.original - target_field: misp.attribute - - fingerprint: - fields: - - misp.attribute.uuid - - misp.attribute.Event.uuid - target_field: "_id" - ignore_missing: true - - set: - field: threat.indicator.provider - value: misp - - date: - if: ctx.misp?.attribute?.timestamp != null - field: misp.attribute.timestamp - formats: - - UNIX - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: misp.attribute.Event - target_field: misp.event - ignore_missing: true - - rename: - field: misp.attribute.Tag - target_field: misp.tag - ignore_missing: true - - rename: - field: misp.attribute.Object - target_field: misp.object - ignore_missing: true - - rename: - field: misp.object.Attribute - target_field: misp.object.attribute - ignore_missing: true - - rename: - field: misp.object.meta-category - target_field: misp.object.meta_category - ignore_missing: true - - foreach: - if: ctx.misp?.attribute?.decay_score != null - field: misp.attribute.decay_score - processor: - rename: - ignore_missing: true - field: _ingest._value.DecayingModel - target_field: _ingest._value.decaying_model - - date: - if: ctx.misp?.event?.timestamp != null - field: misp.event.timestamp - target_field: misp.event.timestamp - formats: - - UNIX - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - date: - if: ctx.misp?.event?.publish_timestamp != null - field: misp.event.publish_timestamp - target_field: misp.event.publish_timestamp - formats: - - UNIX - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - date: - if: ctx.misp?.event?.sighting_timestamp != null - field: misp.event.sighting_timestamp - target_field: misp.event.sighting_timestamp - formats: - - UNIX - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - date: - if: ctx.misp?.object?.timestamp != null - field: misp.object.timestamp - target_field: misp.object.timestamp - formats: - - UNIX - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - ##################### - # Threat ECS Fields # - ##################### - - set: - field: threat.feed.name - value: "MISP" - - rename: - field: misp.attribute.first_seen - target_field: threat.indicator.first_seen - ignore_missing: true - - rename: - field: misp.attribute.last_seen - target_field: threat.indicator.last_seen - ignore_missing: true - - convert: - field: misp.event.analysis - type: long - target_field: threat.indicator.scanner_stats - ignore_missing: true - - ## File/Hash indicator operations - - set: - field: threat.indicator.type - value: file - if: "ctx.misp?.attribute?.type != null && (['md5', 'impfuzzy', 'imphash', 'pehash', 'sha1', 'sha224', 'sha256', 'sha3-224', 'sha3-256', 'sha3-384', 'sha3-512', 'sha384', 'sha512', 'sha512/224', 'sha512/256', 'ssdeep', 'tlsh', 'vhash'].contains(ctx.misp.attribute.type) || ctx.misp.attribute.type.startsWith('filename'))" - - rename: - field: misp.attribute.value - target_field: "threat.indicator.file.hash.{{misp.attribute.type}}" - ignore_missing: true - if: "ctx.threat?.indicator?.type == 'file' && ctx.misp?.attribute?.type != null && !ctx.misp.attribute.type.startsWith('filename')" - - rename: - field: misp.attribute.value - target_field: threat.indicator.file.name - ignore_missing: true - if: "ctx.threat?.indicator?.type == 'file' && ctx.misp?.attribute?.type == 'filename'" - - grok: - field: misp.attribute.type - patterns: - - "%{WORD}\\|%{WORD:_tmp.hashtype}" - ignore_missing: true - if: ctx.misp?.attribute?.type != null && ctx.misp.attribute.type.startsWith('filename|') - - grok: - field: misp.attribute.value - patterns: - - "%{DATA:threat.indicator.file.name}\\|%{GREEDYDATA:_tmp.hashvalue}" - ignore_missing: true - if: ctx.misp?.attribute?.type != null && ctx.misp.attribute.type.startsWith('filename|') - - set: - field: threat.indicator.file.hash.{{_tmp.hashtype}} - value: "{{_tmp.hashvalue}}" - if: "ctx.misp?.attribute?.type != null && ctx.misp.attribute.type.startsWith('filename|') && ctx._tmp?.hashvalue != null && ctx._tmp.hashtype != null" - - ## URL/URI indicator operations - - set: - field: threat.indicator.type - value: url - if: "ctx.misp?.attribute?.type != null && ['url', 'link', 'uri'].contains(ctx.misp.attribute.type)" - - uri_parts: - field: misp.attribute.value - target_field: threat.indicator.url - keep_original: true - remove_if_successful: true - if: ctx.threat?.indicator?.type == 'url' && ctx.misp?.attribute?.type != 'uri' - - set: - field: threat.indicator.url.full - value: "{{{threat.indicator.url.original}}}" - ignore_empty_value: true - if: "ctx.threat?.indicator?.type == 'url' && ctx.misp?.attribute?.type != 'uri'" - - ## Regkey indicator operations - - set: - field: threat.indicator.type - value: windows-registry-key - if: "ctx.misp?.attribute?.type != null && ctx.misp.attribute.type.startsWith('regkey')" - - rename: - field: misp.attribute.value - target_field: threat.indicator.registry.key - ignore_missing: true - if: "ctx.threat?.indicator?.type == 'windows-registry-key' && ctx.misp?.attribute?.type == 'regkey'" - - grok: - field: misp.attribute.value - patterns: - - "%{DATA:threat.indicator.registry.key}\\|%{DATA:threat.indicator.registry.value}" - ignore_missing: true - if: "ctx.misp?.attribute?.type == 'regkey|value'" - - ## AS indicator operations - - set: - field: threat.indicator.type - value: autonomous-system - if: "ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type == 'AS'" - - convert: - field: misp.attribute.value - type: long - target_field: threat.indicator.as.number - ignore_missing: true - if: ctx.threat?.indicator?.type == 'autonomous-system' - - ## Domain/IP/Port indicator operations - - set: - field: threat.indicator.type - value: domain-name - if: "ctx.misp?.attribute?.type != null && (ctx.misp.attribute.type == 'hostname' || ctx.misp.attribute.type.startsWith('domain'))" - - set: - field: threat.indicator.type - value: ipv4-addr - if: "ctx.misp?.attribute?.type != null && ['ip-src', 'ip-src|port', 'ip-dst', 'ip-dst|port'].contains(ctx.misp.attribute.type)" - - rename: - field: misp.attribute.value - target_field: threat.indicator.url.domain - ignore_missing: true - if: "ctx.misp?.attribute?.type != null && ctx.threat?.indicator?.type == 'domain-name' && ctx.misp.attribute.type != 'domain|ip' && ctx.threat?.indicator?.url?.domain == null" - - rename: - field: misp.attribute.value - target_field: threat.indicator.ip - ignore_missing: true - if: "ctx.misp?.attribute?.type != null && ctx.threat?.indicator?.type == 'ipv4-addr' && !['domain|ip', 'ip-src|port', 'ip-dst|port'].contains(ctx.misp.attribute.type)" - - grok: - field: misp.attribute.value - patterns: - - "%{DATA:threat.indicator.url.domain}\\|%{IP:threat.indicator.ip}" - ignore_missing: true - if: ctx.misp?.attribute?.type == 'domain|ip' && ctx.threat?.indicator?.url?.domain == null - - grok: - field: misp.attribute.value - patterns: - - "%{IP:threat.indicator.ip}\\|%{NUMBER:threat.indicator.port}" - ignore_missing: true - if: "['ip-src|port', 'ip-dst|port'].contains(ctx.misp?.attribute?.type)" - - ## Email indicator operations - # Currently this ignores email-message, except setting the type it will leave the rest of the fields under misp. - - set: - field: threat.indicator.type - value: email-addr - if: "ctx.misp?.attribute?.type != null && ['email-dst', 'email-src'].contains(ctx.misp.attribute.type)" - - set: - field: threat.indicator.type - value: email-message - if: "ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type.startsWith('email') && !['email-dst', 'email-src'].contains(ctx.misp.attribute.type)" - - rename: - field: misp.attribute.value - target_field: threat.indicator.email.address - ignore_missing: true - if: ctx.threat?.indicator?.type == 'email-addr' - - rename: - field: misp.event.event_creator_email - target_field: user.email - ignore_missing: true - - append: - field: user.roles - value: "reporting_user" - if: ctx?.user?.email != null - - ## MAC Address indicator operations - - set: - field: threat.indicator.type - value: mac-addr - if: "ctx.misp?.attribute?.type != null && ['mac-address', 'mac-eui-64'].contains(ctx.misp.attribute.type)" - - rename: - field: misp.attribute.value - target_field: threat.indicator.mac - ignore_missing: true - if: ctx.threat?.indicator?.type == 'mac-addr' - - ## Artifact indicator operations - - set: - field: threat.indicator.type - value: artifact - if: "ctx.misp?.attribute?.type == 'mime-type'" - - ## Mutex indicator operations - - set: - field: threat.indicator.type - value: mutex - if: "ctx.misp?.attribute?.type == 'mutex'" - - ## Software indicator operations - - set: - field: threat.indicator.type - value: software - if: "ctx.misp?.attribute?.type == 'cpe'" - - ################### - # Tags ECS fields # - ################### - # Stripping special characters from tags - - script: - lang: painless - if: ctx.misp?.tag != null - source: | - def tags = ctx.misp.tag.stream() - .map(t -> t.name.replace('\\', '').replace('"', '')) - .collect(Collectors.toList()); - def tlpTags = tags.stream() - .filter(t -> t.startsWith('tlp:')) - .map(t -> t.replace('tlp:', '').toUpperCase()) - .collect(Collectors.toList()); - - ctx.temp_tags = tags; - ctx.threat.indicator.marking = [ 'tlp': tlpTags ]; - - foreach: - field: temp_tags - processor: - append: - field: tags - value: '{{{_ingest._value}}}' - allow_duplicates: false - if: ctx.temp_tags != null - - ##################### - # Organization ECS Fields # - ##################### - - rename: - field: misp.event.org_id - target_field: organization.id - ignore_missing: true - - ################# - # Convert types # - ################# - - convert: - field: misp.attribute.distribution - type: long - ignore_missing: true - - convert: - field: misp.object.distribution - type: long - ignore_missing: true - - convert: - field: misp.event.distribution - type: long - ignore_missing: true - - convert: - field: threat.indicator.port - type: long - ignore_missing: true - - convert: - field: misp.event.attribute_count - type: long - ignore_missing: true - - convert: - field: misp.event.threat_level_id - type: long - ignore_missing: true - - - foreach: - if: ctx.misp?.object?.attribute != null - field: misp.object.attribute - processor: - append: - field: debug_timestamp - value: '{{{_ingest._value.timestamp}}}' - if: ctx._ingest?._value != null - - - foreach: - if: ctx.misp?.object?.attribute != null - field: misp.object.attribute - processor: - date: - field: _ingest._value.timestamp - target_field: _ingest._value.timestamp - tag: date_object_attribute_timestamp - formats: - - UNIX - ignore_failure: true - - ###################### - # Cleanup processors # - ###################### - - script: - lang: painless - if: ctx?.misp != null - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - } - handleMap(ctx); - # Removing fields not needed anymore, either because its copied somewhere else, or is not relevant to this event - - remove: - field: event.original - if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true - - remove: - field: - - misp.attribute.value - ignore_missing: true - # Special-case email subject as it is potentially useful, but cannot yet be - # put in threat.indicator.email.subject as it is not an ECS field. - if: ctx.threat?.indicator?.type != null && ctx.misp?.attribute?.type != "email-subject" - - remove: - field: - - temp_tags - - misp.attribute.timestamp - - misp.tag - - misp.event.analysis - - _tmp - - json - ignore_missing: true - -on_failure: - - set: - field: event.kind - value: pipeline_error - - append: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/fields/agent.yml b/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/fields/base-fields.yml b/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/fields/base-fields.yml deleted file mode 100644 index fdf2687869..0000000000 --- a/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/fields/base-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: ti_misp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: ti_misp.threat_attributes -- name: threat.feed.name - type: constant_keyword - description: Display friendly feed name - value: MISP -- name: threat.feed.dashboard_id - type: constant_keyword - description: Dashboard ID used for Kibana CTI UI - value: ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294 -- name: "@timestamp" - type: date - description: Event timestamp. -- name: "@version" - type: text - description: Event version. diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/fields/beats.yml b/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/fields/beats.yml deleted file mode 100644 index cb44bb2944..0000000000 --- a/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/fields/beats.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: input.type - type: keyword - description: Type of Filebeat input. -- name: log.flags - type: keyword - description: Flags for the log file. -- name: log.offset - type: long - description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/fields/ecs.yml b/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/fields/ecs.yml deleted file mode 100644 index b2389c5017..0000000000 --- a/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/fields/ecs.yml +++ /dev/null @@ -1,78 +0,0 @@ -- external: ecs - name: ecs.version -- external: ecs - name: message -- external: ecs - name: tags -- external: ecs - name: error.message -- external: ecs - name: event.category -- external: ecs - name: event.ingested -- external: ecs - name: event.created -- external: ecs - name: event.kind -- external: ecs - name: event.type -- external: ecs - name: event.original -- external: ecs - name: user.email -- external: ecs - name: user.roles -- external: ecs - name: threat.indicator.first_seen -- external: ecs - name: threat.indicator.last_seen -- external: ecs - name: threat.indicator.scanner_stats -- external: ecs - name: threat.indicator.type -- external: ecs - name: threat.indicator.ip -- external: ecs - name: threat.indicator.url.domain -- external: ecs - name: threat.indicator.url.full -- external: ecs - name: threat.indicator.url.extension -- external: ecs - name: threat.indicator.url.original -- external: ecs - name: threat.indicator.url.path -- external: ecs - name: threat.indicator.url.port -- external: ecs - name: threat.indicator.url.scheme -- external: ecs - name: threat.indicator.url.query -- external: ecs - name: threat.indicator.email.address -- external: ecs - name: threat.indicator.provider -- external: ecs - name: threat.indicator.as.number -- external: ecs - name: threat.indicator.file.hash.md5 -- external: ecs - name: threat.indicator.file.hash.sha1 -- external: ecs - name: threat.indicator.file.hash.sha256 -- external: ecs - name: threat.indicator.marking.tlp -- external: ecs - name: threat.indicator.port -- external: ecs - name: threat.indicator.registry.key -- external: ecs - name: threat.indicator.registry.value -- external: ecs - name: threat.indicator.file.size -- external: ecs - name: threat.indicator.file.type -- external: ecs - name: threat.indicator.file.name -- external: ecs - name: organization.id diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/fields/fields.yml b/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/fields/fields.yml deleted file mode 100644 index 0a64819192..0000000000 --- a/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/fields/fields.yml +++ /dev/null @@ -1,277 +0,0 @@ -- name: misp - type: group - description: > - Fields for MISP indicators - - fields: - - name: event - type: group - description: > - Fields for MISP event - - fields: - - name: id - type: keyword - description: > - The local event ID of the attribute related to the event. - - - name: distribution - type: long - description: > - Distribution type related to MISP. - - - name: info - type: keyword - description: > - Additional text or information related to the event. - - - name: orgc_id - type: keyword - description: > - Organization Community ID of the event. - - - name: org_id - type: keyword - description: > - Organization ID of the event. - - - name: uuid - type: keyword - description: > - The UUID of the event object. - - - name: attribute_count - type: long - description: > - How many attributes are included in a single event object. - - - name: date - type: date - description: > - The date of when the event object was created. - - - name: disable_correlation - type: boolean - description: > - If correlation is disabled on the MISP event object. - - - name: extends_uuid - type: keyword - description: > - The UUID of the event object it might extend. - - - name: locked - type: boolean - description: > - If the current MISP event object is locked or not. - - - name: proposal_email_lock - type: boolean - description: > - Settings configured on MISP for email lock on this event object. - - - name: timestamp - type: date - description: > - The timestamp of when the event object was created. - - - name: publish_timestamp - type: date - description: "At what time the event object was published \n" - - name: sighting_timestamp - type: date - description: > - At what time the event object was sighted - - - name: threat_level_id - type: long - description: > - Threat level from 5 to 1, where 1 is the most critical. - - - name: published - type: boolean - description: > - When the event was published. - - - name: sharing_group_id - type: keyword - description: > - The ID of the grouped events or sources of the event. - - - name: attribute - type: group - description: > - Fields for MISP attribute - - fields: - - name: id - type: keyword - description: > - The ID of the attribute. - - - name: type - type: keyword - description: > - The type of the attribute. For example email, ipv4, sha1 and such. - - - name: category - type: keyword - description: > - The category of the attribute. For example "Network Activity". - - - name: to_ids - type: boolean - description: > - If the attribute should be automatically synced with an IDS. - - - name: uuid - type: keyword - description: > - The UUID of the attribute. - - - name: event_id - type: keyword - description: > - The local event ID of the attribute. - - - name: event_uuid - type: keyword - description: > - The local event UUID of the attribute. - - - name: distribution - type: long - description: > - How the attribute has been distributed, represented by integer numbers. - - - name: comment - type: keyword - description: > - Comments made to the attribute itself. - - - name: sharing_group_id - type: keyword - description: > - The group ID of the sharing group related to the specific attribute. - - - name: deleted - type: boolean - description: > - If the attribute has been removed. - - - name: disable_correlation - type: boolean - description: > - If correlation has been enabled on the attribute. - - - name: object_id - type: keyword - description: > - The ID of the Object in which the attribute is attached. - - - name: object_relation - type: keyword - description: > - The type of relation the attribute has with the attribute object itself. - - - name: value - type: keyword - description: > - The value of the attribute, depending on the type like "url, sha1, email-src". - - - name: data - type: keyword - description: > - The data of the attribute - - - name: decay_score - type: flattened - description: > - Group of fields describing decay score of the attribute - - - name: object - type: group - description: > - Fields for MISP Object - - fields: - - name: id - type: keyword - description: > - The ID of the object in which the attribute is attached. - - - name: name - type: keyword - description: > - The name of the object in which the attribute is attached. - - - name: meta_category - type: keyword - description: > - The meta-category of the object in which the attribute is attached. - - - name: description - type: keyword - description: > - The description of the object in which the attribute is attached. - - - name: template_uuid - type: keyword - description: > - The UUID of attribute object's template. - - - name: template_version - type: keyword - description: > - The version of attribute object's template. - - - name: event_id - type: keyword - description: > - The event ID of the object in which the attribute is attached. - - - name: uuid - type: keyword - description: > - The UUID of the object in which the attribute is attached. - - - name: timestamp - type: date - description: > - The timestamp when the object was created. - - - name: distribution - type: long - description: > - The distribution of the object indicating who can see the object. - - - name: sharing_group_id - type: keyword - description: > - The ID of the Sharing Group the object is shared with. - - - name: comment - type: keyword - description: > - Comments made to the object in which the attribute is attached. - - - name: deleted - type: boolean - description: > - If the object in which the attribute is attached has been removed. - - - name: first_seen - type: keyword - description: > - The first time the indicator of the object was seen. - - - name: last_seen - type: keyword - description: > - The last time the indicator of the object was seen. - - - name: attribute - type: flattened - description: > - List of attributes of the object in which the attribute is attached. - diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/manifest.yml b/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/manifest.yml deleted file mode 100644 index 48d1b3345e..0000000000 --- a/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/manifest.yml +++ /dev/null @@ -1,112 +0,0 @@ -type: logs -title: MISP -streams: - - input: httpjson - vars: - - name: url - type: text - title: MISP URL - multi: false - required: true - show_user: true - default: https://mispserver.com - description: The URL or hostname of the MISP instance. - - name: api_token - type: password - title: MISP API Token - multi: false - required: true - show_user: true - description: The API token used to access the MISP instance. - - name: initial_interval - type: text - title: Initial interval - multi: false - required: true - show_user: true - default: 120h - description: How far back to look for indicators the first time the agent is started. Supported units for this parameter are h/m/s. - - name: http_client_timeout - type: text - title: HTTP Client Timeout - description: Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h. - multi: false - required: false - show_user: false - default: 30s - - name: filters - type: yaml - title: MISP API Filters - multi: false - required: false - show_user: false - default: | - #type: - # OR: - # - ip-src - # - ip-dst - #tags: - # NOT: - # - tlp-red - description: Filters documented at [MISP API Documentation](https://www.circl.lu/doc/misp/automation/#search) is supported. - - name: proxy_url - type: text - title: Proxy URL - multi: false - required: false - show_user: false - description: URL to proxy connections in the form of http\[s\]://:@: - - name: interval - type: text - title: Interval - description: Interval at which the logs will be pulled. Supported units for this parameter are h/m/s. - multi: false - required: true - show_user: true - default: 10m - - name: ssl - type: yaml - title: SSL - multi: false - required: false - show_user: false - default: | - #verification_mode: none - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - misp-threat_attributes - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - name: enable_request_tracer - type: bool - title: Enable request tracing - multi: false - required: false - show_user: false - description: > - The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details. - - template_path: httpjson.yml.hbs - title: MISP - description: Collect indicators from the MISP Attributes API diff --git a/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/sample_event.json b/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/sample_event.json deleted file mode 100644 index 1c4056959e..0000000000 --- a/test/packages/with-logstash/ti_misp/data_stream/threat_attributes/sample_event.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "@timestamp": "2014-10-03T07:14:05.000Z", - "agent": { - "ephemeral_id": "cdecad63-3561-4779-8f29-0f578cdbaf3e", - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.9.1" - }, - "data_stream": { - "dataset": "ti_misp.threat_attributes", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.9.0" - }, - "elastic_agent": { - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", - "snapshot": false, - "version": "8.9.1" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "threat" - ], - "created": "2023-08-28T15:44:00.019Z", - "dataset": "ti_misp.threat_attributes", - "ingested": "2023-08-28T15:44:02Z", - "kind": "enrichment", - "original": "{\"Event\":{\"distribution\":\"3\",\"id\":\"1\",\"info\":\"OSINT ShellShock scanning IPs from OpenDNS\",\"org_id\":\"1\",\"orgc_id\":\"2\",\"uuid\":\"542e4c9c-cadc-4f8f-bb11-6d13950d210b\"},\"category\":\"External analysis\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"1\",\"first_seen\":null,\"id\":\"1\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1412320445\",\"to_ids\":false,\"type\":\"link\",\"uuid\":\"542e4cbd-ee78-4a57-bfb8-1fda950d210b\",\"value\":\"http://labs.opendns.com/2014/10/02/opendns-and-bash/\"}", - "type": [ - "indicator" - ] - }, - "input": { - "type": "httpjson" - }, - "misp": { - "attribute": { - "category": "External analysis", - "comment": "", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "1", - "id": "1", - "object_id": "0", - "sharing_group_id": "0", - "to_ids": false, - "type": "link", - "uuid": "542e4cbd-ee78-4a57-bfb8-1fda950d210b" - }, - "event": { - "distribution": 3, - "id": "1", - "info": "OSINT ShellShock scanning IPs from OpenDNS", - "orgc_id": "2", - "uuid": "542e4c9c-cadc-4f8f-bb11-6d13950d210b" - } - }, - "organization": { - "id": "1" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "misp-threat_attributes" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "provider": "misp", - "type": "url", - "url": { - "domain": "labs.opendns.com", - "full": "http://labs.opendns.com/2014/10/02/opendns-and-bash/", - "original": "http://labs.opendns.com/2014/10/02/opendns-and-bash/", - "path": "/2014/10/02/opendns-and-bash/", - "scheme": "http" - } - } - } -} \ No newline at end of file diff --git a/test/packages/with-logstash/ti_misp/docs/README.md b/test/packages/with-logstash/ti_misp/docs/README.md index 5d16e0bceb..636c58c210 100644 --- a/test/packages/with-logstash/ti_misp/docs/README.md +++ b/test/packages/with-logstash/ti_misp/docs/README.md @@ -16,7 +16,6 @@ The filters themselves are based on the [MISP API documentation](https://www.cir | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| @version | Event version. | text | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | @@ -191,7 +190,7 @@ An example event for `threat` looks as following: "type": "logs" }, "ecs": { - "version": "8.9.0" + "version": "8.10.0" }, "elastic_agent": { "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", @@ -294,7 +293,6 @@ This data stream uses the `/attributes/restSearch` API endpoint which returns mo | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| @version | Event version. | text | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | diff --git a/test/packages/with-logstash/ti_misp/kibana/dashboard/ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877.json b/test/packages/with-logstash/ti_misp/kibana/dashboard/ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877.json deleted file mode 100644 index 465e992b5f..0000000000 --- a/test/packages/with-logstash/ti_misp/kibana/dashboard/ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877.json +++ /dev/null @@ -1,952 +0,0 @@ -{ - "attributes": { - "description": "Dashboard providing statistics about file type indicators from the MISP integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.kind", - "negate": false, - "params": { - "query": "enrichment" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.kind": "enrichment" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threat.indicator.type", - "negate": false, - "params": { - "query": "file" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "threat.indicator.type": "file" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "ti_misp.threat" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "ti_misp.threat" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "optionsJSON": { - "hidePanelTitles": false, - "syncColors": false, - "useMargins": true - }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": true, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "description": "", - "params": { - "fontSize": 12, - "markdown": "**Navigation**\n\n[MISP Overview](/app/dashboards#/view/ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294) \n**[MISP Files (This Page)](/app/dashboards#/view/ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877)** \n[MISP URLs](/app/dashboards#/view/ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877) \n\n[Integrations Page](/app/integrations/detail/ti_misp/overview)\n\n\n**Overview**\n\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: file**.\n\nThe dashboard is made to provide general statistics and show the health of your indicators like hash type counters, popular domains, statistics about how many unique indicators are ingested and other relevant information.", - "openLinksInNewTab": false - }, - "title": "Files Navigation Textbox [Logs AbuseCH]", - "type": "markdown", - "uiState": {} - } - }, - "gridData": { - "h": 27, - "i": "09ba3dc0-e2e2-4799-b47f-bb919bf290a1", - "w": 7, - "x": 0, - "y": 0 - }, - "panelIndex": "09ba3dc0-e2e2-4799-b47f-bb919bf290a1", - "title": "Files Navigation Textbox [Logs MISP]", - "type": "visualization", - "version": "8.0.0-SNAPSHOT" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-98786f76-dac4-4fc7-9cad-8bfce17bd00d", - "type": "index-pattern" - } - ], - "sharingSavedObjectProps": { - "outcome": "exactMatch", - "sourceId": "ti_abusech-2e2257a0-3b39-11ec-ae50-2fdf1e96c6a6" - }, - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "98786f76-dac4-4fc7-9cad-8bfce17bd00d": { - "columnOrder": [ - "8622e147-406f-4711-8f68-e2425614106e" - ], - "columns": { - "8622e147-406f-4711-8f68-e2425614106e": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Unique File types", - "operationType": "unique_count", - "scale": "ratio", - "sourceField": "threat.indicator.file.type" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "8622e147-406f-4711-8f68-e2425614106e", - "layerId": "98786f76-dac4-4fc7-9cad-8bfce17bd00d", - "layerType": "data" - } - }, - "title": "Unique File Types [Logs AbuseCH]", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 8, - "i": "31ea16d1-7591-42a7-b773-6fca00e5db14", - "w": 5, - "x": 7, - "y": 0 - }, - "panelIndex": "31ea16d1-7591-42a7-b773-6fca00e5db14", - "title": "Unique File Types [Logs MISP]", - "type": "lens", - "version": "8.0.0-SNAPSHOT" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-b83c382d-fab9-4e60-a632-475e221cc20c", - "type": "index-pattern" - } - ], - "sharingSavedObjectProps": { - "outcome": "exactMatch", - "sourceId": "ti_abusech-d888e3e0-3b38-11ec-ae50-2fdf1e96c6a6" - }, - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "b83c382d-fab9-4e60-a632-475e221cc20c": { - "columnOrder": [ - "eda3c6d9-dacb-4e5e-b977-50104f76e91a" - ], - "columns": { - "eda3c6d9-dacb-4e5e-b977-50104f76e91a": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Unique MD5", - "operationType": "unique_count", - "scale": "ratio", - "sourceField": "threat.indicator.file.hash.md5" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "eda3c6d9-dacb-4e5e-b977-50104f76e91a", - "layerId": "b83c382d-fab9-4e60-a632-475e221cc20c", - "layerType": "data" - } - }, - "title": "Unique MD5 [Logs AbuseCH]", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 8, - "i": "4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98", - "w": 6, - "x": 12, - "y": 0 - }, - "panelIndex": "4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98", - "title": "Unique MD5 [Logs MISP]", - "type": "lens", - "version": "8.0.0-SNAPSHOT" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-85ad73b3-3b76-49f1-ad20-6256b58918f8", - "type": "index-pattern" - } - ], - "sharingSavedObjectProps": { - "outcome": "exactMatch", - "sourceId": "ti_abusech-28549810-3b39-11ec-ae50-2fdf1e96c6a6" - }, - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "85ad73b3-3b76-49f1-ad20-6256b58918f8": { - "columnOrder": [ - "289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3" - ], - "columns": { - "289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Unique SHA1", - "operationType": "unique_count", - "scale": "ratio", - "sourceField": "threat.indicator.file.hash.sha1" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3", - "layerId": "85ad73b3-3b76-49f1-ad20-6256b58918f8", - "layerType": "data" - } - }, - "title": "Unique SHA1 [Logs AbuseCH]", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 8, - "i": "e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea", - "w": 6, - "x": 18, - "y": 0 - }, - "panelIndex": "e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea", - "title": "Unique SHA1 [Logs MISP]", - "type": "lens", - "version": "8.0.0-SNAPSHOT" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-49b7070a-f1d3-46e1-a980-2f6d6d130167", - "type": "index-pattern" - } - ], - "sharingSavedObjectProps": { - "outcome": "exactMatch", - "sourceId": "ti_abusech-5d6111a0-3b39-11ec-ae50-2fdf1e96c6a6" - }, - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "49b7070a-f1d3-46e1-a980-2f6d6d130167": { - "columnOrder": [ - "b6c5e221-88ff-490e-bd3e-188b3e0dd1f4" - ], - "columns": { - "b6c5e221-88ff-490e-bd3e-188b3e0dd1f4": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Unique SHA256", - "operationType": "unique_count", - "scale": "ratio", - "sourceField": "threat.indicator.file.hash.sha256" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "b6c5e221-88ff-490e-bd3e-188b3e0dd1f4", - "layerId": "49b7070a-f1d3-46e1-a980-2f6d6d130167", - "layerType": "data" - } - }, - "title": "Unique SHA256 [Logs AbuseCH]", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 8, - "i": "93e32abe-87e3-469e-b7e9-a7ef7dfa2cce", - "w": 6, - "x": 24, - "y": 0 - }, - "panelIndex": "93e32abe-87e3-469e-b7e9-a7ef7dfa2cce", - "title": "Unique SHA256 [Logs MISP]", - "type": "lens", - "version": "8.0.0-SNAPSHOT" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-12768311-834b-48d5-8aad-d17d139c2ae5", - "type": "index-pattern" - } - ], - "sharingSavedObjectProps": { - "outcome": "exactMatch", - "sourceId": "ti_abusech-52e62840-3b3a-11ec-ae50-2fdf1e96c6a6" - }, - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "12768311-834b-48d5-8aad-d17d139c2ae5": { - "columnOrder": [ - "0255894e-dd88-4eb1-b21b-0cccecb2cd1b" - ], - "columns": { - "0255894e-dd88-4eb1-b21b-0cccecb2cd1b": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Unique TLSH", - "operationType": "unique_count", - "scale": "ratio", - "sourceField": "threat.indicator.file.hash.tlsh" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "0255894e-dd88-4eb1-b21b-0cccecb2cd1b", - "layerId": "12768311-834b-48d5-8aad-d17d139c2ae5", - "layerType": "data" - } - }, - "title": "Unique TLSH [Logs AbuseCH]", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 8, - "i": "b77edd3f-b171-4e61-b519-169b5aade031", - "w": 6, - "x": 30, - "y": 0 - }, - "panelIndex": "b77edd3f-b171-4e61-b519-169b5aade031", - "title": "Unique TLSH [Logs MISP]", - "type": "lens", - "version": "8.0.0-SNAPSHOT" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-9070dc46-c06d-4b64-a2c5-7b6d4056a14d", - "type": "index-pattern" - } - ], - "sharingSavedObjectProps": { - "outcome": "exactMatch", - "sourceId": "ti_abusech-4f8c9d00-3b3a-11ec-ae50-2fdf1e96c6a6" - }, - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "9070dc46-c06d-4b64-a2c5-7b6d4056a14d": { - "columnOrder": [ - "f1bdf831-1fd2-4dc8-b1f9-c6e05d93b801" - ], - "columns": { - "f1bdf831-1fd2-4dc8-b1f9-c6e05d93b801": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Unique Imphash", - "operationType": "unique_count", - "scale": "ratio", - "sourceField": "threat.indicator.file.pe.imphash" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "f1bdf831-1fd2-4dc8-b1f9-c6e05d93b801", - "layerId": "9070dc46-c06d-4b64-a2c5-7b6d4056a14d", - "layerType": "data" - } - }, - "title": "Unique Imphash [Logs AbuseCH]", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 8, - "i": "f9eb44f8-6174-4b12-a8ca-5c542687006b", - "w": 6, - "x": 36, - "y": 0 - }, - "panelIndex": "f9eb44f8-6174-4b12-a8ca-5c542687006b", - "title": "Unique Imphash [Logs MISP]", - "type": "lens", - "version": "8.0.0-SNAPSHOT" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-e27d5a76-ae51-44fa-b17e-e486bbc01b56", - "type": "index-pattern" - } - ], - "sharingSavedObjectProps": { - "outcome": "exactMatch", - "sourceId": "ti_abusech-88ef6dd0-3b39-11ec-ae50-2fdf1e96c6a6" - }, - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "e27d5a76-ae51-44fa-b17e-e486bbc01b56": { - "columnOrder": [ - "b5cdfd94-1e22-4673-8216-59aca2131761" - ], - "columns": { - "b5cdfd94-1e22-4673-8216-59aca2131761": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Unique SSDEEP", - "operationType": "unique_count", - "scale": "ratio", - "sourceField": "threat.indicator.file.hash.ssdeep" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "b5cdfd94-1e22-4673-8216-59aca2131761", - "layerId": "e27d5a76-ae51-44fa-b17e-e486bbc01b56", - "layerType": "data" - } - }, - "title": "Unique SSDEEP [Logs AbuseCH]", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 8, - "i": "c9d59178-9b19-4255-8098-653cb30f3d09", - "w": 6, - "x": 42, - "y": 0 - }, - "panelIndex": "c9d59178-9b19-4255-8098-653cb30f3d09", - "title": "Unique SSDEEP [Logs MISP]", - "type": "lens", - "version": "8.0.0-SNAPSHOT" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-06d9ac79-2055-437e-892c-de9ee07fe674", - "type": "index-pattern" - } - ], - "sharingSavedObjectProps": { - "outcome": "exactMatch", - "sourceId": "2d0c0ec0-3bbf-11ec-ae8c-7d00429ad420" - }, - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "06d9ac79-2055-437e-892c-de9ee07fe674": { - "columnOrder": [ - "35f5321a-27f4-4076-9d1d-d326187f4689", - "df062557-78a5-4a78-93f1-34583c809bc3" - ], - "columns": { - "35f5321a-27f4-4076-9d1d-d326187f4689": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "File Names", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "df062557-78a5-4a78-93f1-34583c809bc3", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "threat.indicator.file.name" - }, - "df062557-78a5-4a78-93f1-34583c809bc3": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "columns": [ - { - "columnId": "35f5321a-27f4-4076-9d1d-d326187f4689", - "isTransposed": false - }, - { - "columnId": "df062557-78a5-4a78-93f1-34583c809bc3", - "isTransposed": false - } - ], - "layerId": "06d9ac79-2055-437e-892c-de9ee07fe674", - "layerType": "data" - } - }, - "title": "Most popular file names [Logs AbuseCH]", - "visualizationType": "lnsDatatable" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 19, - "i": "b733385b-14f8-4469-b777-86d0139cc56b", - "w": 20, - "x": 7, - "y": 8 - }, - "panelIndex": "b733385b-14f8-4469-b777-86d0139cc56b", - "title": "Most popular file names [Logs MISP]", - "type": "lens", - "version": "8.0.0-SNAPSHOT" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8", - "type": "index-pattern" - } - ], - "sharingSavedObjectProps": { - "outcome": "exactMatch", - "sourceId": "ti_abusech-4ee4a490-3b37-11ec-ae50-2fdf1e96c6a6" - }, - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8": { - "columnOrder": [ - "06b603cb-c9fb-493a-9ca4-e6502ca12054", - "de0e531b-dda7-461f-9783-3ab9267d202e" - ], - "columns": { - "06b603cb-c9fb-493a-9ca4-e6502ca12054": { - "dataType": "string", - "isBucketed": true, - "label": "Top values of threat.indicator.file.type", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "de0e531b-dda7-461f-9783-3ab9267d202e", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "threat.indicator.file.type" - }, - "de0e531b-dda7-461f-9783-3ab9267d202e": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "groups": [ - "06b603cb-c9fb-493a-9ca4-e6502ca12054" - ], - "layerId": "222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8", - "layerType": "data", - "legendDisplay": "default", - "metric": "de0e531b-dda7-461f-9783-3ab9267d202e", - "nestedLegend": false, - "numberDisplay": "percent" - } - ], - "shape": "treemap" - } - }, - "title": "File Types [Logs AbuseCH]", - "visualizationType": "lnsPie" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 19, - "i": "5f1d0cf1-c331-4495-99d5-5e80d023c482", - "w": 21, - "x": 27, - "y": 8 - }, - "panelIndex": "5f1d0cf1-c331-4495-99d5-5e80d023c482", - "title": "File Types [Logs MISP]", - "type": "lens", - "version": "8.0.0-SNAPSHOT" - } - ], - "timeRestore": false, - "title": "[Logs MISP] Files", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "31ea16d1-7591-42a7-b773-6fca00e5db14:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "31ea16d1-7591-42a7-b773-6fca00e5db14:indexpattern-datasource-layer-98786f76-dac4-4fc7-9cad-8bfce17bd00d", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98:indexpattern-datasource-layer-b83c382d-fab9-4e60-a632-475e221cc20c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea:indexpattern-datasource-layer-85ad73b3-3b76-49f1-ad20-6256b58918f8", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "93e32abe-87e3-469e-b7e9-a7ef7dfa2cce:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "93e32abe-87e3-469e-b7e9-a7ef7dfa2cce:indexpattern-datasource-layer-49b7070a-f1d3-46e1-a980-2f6d6d130167", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b77edd3f-b171-4e61-b519-169b5aade031:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b77edd3f-b171-4e61-b519-169b5aade031:indexpattern-datasource-layer-12768311-834b-48d5-8aad-d17d139c2ae5", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f9eb44f8-6174-4b12-a8ca-5c542687006b:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f9eb44f8-6174-4b12-a8ca-5c542687006b:indexpattern-datasource-layer-9070dc46-c06d-4b64-a2c5-7b6d4056a14d", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c9d59178-9b19-4255-8098-653cb30f3d09:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c9d59178-9b19-4255-8098-653cb30f3d09:indexpattern-datasource-layer-e27d5a76-ae51-44fa-b17e-e486bbc01b56", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b733385b-14f8-4469-b777-86d0139cc56b:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b733385b-14f8-4469-b777-86d0139cc56b:indexpattern-datasource-layer-06d9ac79-2055-437e-892c-de9ee07fe674", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5f1d0cf1-c331-4495-99d5-5e80d023c482:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5f1d0cf1-c331-4495-99d5-5e80d023c482:indexpattern-datasource-layer-222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8", - "type": "index-pattern" - }, - { - "id": "ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294", - "name": "tag-ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/test/packages/with-logstash/ti_misp/kibana/dashboard/ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877.json b/test/packages/with-logstash/ti_misp/kibana/dashboard/ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877.json deleted file mode 100644 index eb0c647123..0000000000 --- a/test/packages/with-logstash/ti_misp/kibana/dashboard/ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877.json +++ /dev/null @@ -1,694 +0,0 @@ -{ - "attributes": { - "description": "Dashboard providing statistics about URL type indicators from the MISP integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "threat.indicator.type", - "negate": false, - "params": { - "query": "url" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "threat.indicator.type": "url" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "ti_misp.threat" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "ti_misp.threat" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "optionsJSON": { - "hidePanelTitles": false, - "syncColors": false, - "useMargins": true - }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": true, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "description": "", - "id": "", - "params": { - "fontSize": 12, - "markdown": "**Navigation**\n\n[MISP Overview](/app/dashboards#/view/ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294) \n[MISP Files](/app/dashboards#/view/ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877) \n**[MISP URLs (This Page)](/app/dashboards#/view/ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877)** \n\n[Integrations Page](/app/integrations/detail/ti_misp/overview)\n\n\n**Overview**\n\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: url**. \n\nThe dashboard is made to provide general statistics and show the health of your indicators like popular domains, file extensions, statistics about how many unique indicators are ingested and other relevant information.", - "openLinksInNewTab": false - }, - "title": "", - "type": "markdown", - "uiState": {} - } - }, - "gridData": { - "h": 39, - "i": "4c3ed6e1-8b4e-4eab-8d84-70ed4f506216", - "w": 7, - "x": 0, - "y": 0 - }, - "panelIndex": "4c3ed6e1-8b4e-4eab-8d84-70ed4f506216", - "title": "Files Navigation Textbox [Logs MISP]", - "type": "visualization", - "version": "8.0.0-SNAPSHOT" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-88a112e1-6da1-49d3-9177-19f98280c200", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "88a112e1-6da1-49d3-9177-19f98280c200": { - "columnOrder": [ - "604f1693-15a6-437d-af69-03588db8e471" - ], - "columns": { - "604f1693-15a6-437d-af69-03588db8e471": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Unique Ports", - "operationType": "unique_count", - "scale": "ratio", - "sourceField": "threat.indicator.url.port" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "604f1693-15a6-437d-af69-03588db8e471", - "layerId": "88a112e1-6da1-49d3-9177-19f98280c200", - "layerType": "data" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 8, - "i": "c7c6e8dc-b649-434c-9650-8a1564d4d676", - "w": 6, - "x": 7, - "y": 0 - }, - "panelIndex": "c7c6e8dc-b649-434c-9650-8a1564d4d676", - "title": "Unique Ports [Logs MISP]", - "type": "lens", - "version": "8.0.0-SNAPSHOT" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-a6fa56f8-32fa-405d-8771-dade4fe75d62", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "a6fa56f8-32fa-405d-8771-dade4fe75d62": { - "columnOrder": [ - "848c463b-bbc1-4b6a-af3e-76d844eb3cc5" - ], - "columns": { - "848c463b-bbc1-4b6a-af3e-76d844eb3cc5": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Unique Extensions", - "operationType": "unique_count", - "scale": "ratio", - "sourceField": "threat.indicator.url.extension" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "848c463b-bbc1-4b6a-af3e-76d844eb3cc5", - "layerId": "a6fa56f8-32fa-405d-8771-dade4fe75d62", - "layerType": "data" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 8, - "i": "73a752f9-bde5-4396-8ede-e9e77a37182d", - "w": 6, - "x": 13, - "y": 0 - }, - "panelIndex": "73a752f9-bde5-4396-8ede-e9e77a37182d", - "title": "Unique File Extensions [Logs MISP]", - "type": "lens", - "version": "8.0.0-SNAPSHOT" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "c94400ee-a135-4a99-9693-5879d29f7aad": { - "columnOrder": [ - "2934249f-fce5-4637-87ff-d2596d1b6ec5" - ], - "columns": { - "2934249f-fce5-4637-87ff-d2596d1b6ec5": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Unique Domains", - "operationType": "unique_count", - "scale": "ratio", - "sourceField": "threat.indicator.url.domain" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "2934249f-fce5-4637-87ff-d2596d1b6ec5", - "layerId": "c94400ee-a135-4a99-9693-5879d29f7aad", - "layerType": "data" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 8, - "i": "02f1732b-a981-4fba-8b27-b944f2f3c98c", - "w": 6, - "x": 19, - "y": 0 - }, - "panelIndex": "02f1732b-a981-4fba-8b27-b944f2f3c98c", - "title": "Unique Domains [Logs MISP]", - "type": "lens", - "version": "8.0.0-SNAPSHOT" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-9fa49c4c-5544-472d-afce-e51d6a5687fe", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "9fa49c4c-5544-472d-afce-e51d6a5687fe": { - "columnOrder": [ - "15e2b5ad-2040-4253-89a6-60f085c66f86", - "b9a631fe-5f49-4db2-a076-bcbf5410aec9" - ], - "columns": { - "15e2b5ad-2040-4253-89a6-60f085c66f86": { - "dataType": "string", - "isBucketed": true, - "label": "Top values of threat.indicator.url.extension", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "b9a631fe-5f49-4db2-a076-bcbf5410aec9", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "threat.indicator.url.extension" - }, - "b9a631fe-5f49-4db2-a076-bcbf5410aec9": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "groups": [ - "15e2b5ad-2040-4253-89a6-60f085c66f86", - "15e2b5ad-2040-4253-89a6-60f085c66f86" - ], - "layerId": "9fa49c4c-5544-472d-afce-e51d6a5687fe", - "layerType": "data", - "legendDisplay": "default", - "metric": "b9a631fe-5f49-4db2-a076-bcbf5410aec9", - "nestedLegend": false, - "numberDisplay": "percent" - } - ], - "shape": "treemap" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsPie" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 31, - "i": "fda93ed1-72f0-4489-80b7-9e69d14f30aa", - "w": 23, - "x": 25, - "y": 0 - }, - "panelIndex": "fda93ed1-72f0-4489-80b7-9e69d14f30aa", - "title": "Most Popular File Extensions [Logs MISP]", - "type": "lens", - "version": "8.0.0-SNAPSHOT" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-0f63318a-a857-4d83-89ce-a94e2242b79e", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "0f63318a-a857-4d83-89ce-a94e2242b79e": { - "columnOrder": [ - "df0791a6-247c-4434-a43a-fdea7577ca34", - "77a48096-02aa-4b7a-8a7b-131fc38988bd" - ], - "columns": { - "77a48096-02aa-4b7a-8a7b-131fc38988bd": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - }, - "df0791a6-247c-4434-a43a-fdea7577ca34": { - "dataType": "string", - "isBucketed": true, - "label": "Top values of threat.indicator.url.scheme", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "77a48096-02aa-4b7a-8a7b-131fc38988bd", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "threat.indicator.url.scheme" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "groups": [ - "df0791a6-247c-4434-a43a-fdea7577ca34" - ], - "layerId": "0f63318a-a857-4d83-89ce-a94e2242b79e", - "layerType": "data", - "legendDisplay": "show", - "metric": "77a48096-02aa-4b7a-8a7b-131fc38988bd", - "nestedLegend": false, - "numberDisplay": "percent" - } - ], - "shape": "donut" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsPie" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 15, - "i": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d", - "w": 18, - "x": 7, - "y": 8 - }, - "panelIndex": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d", - "title": "Percentage of URL Schema used [Logs MISP]", - "type": "lens", - "version": "8.0.0-SNAPSHOT" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "db89074c-e1fe-4091-bdb1-e42a36e82bac": { - "columnOrder": [ - "b284ea2a-a2cd-4d08-bf44-fc73c08b5694", - "7ca1ac0b-2060-4431-a4b9-ec470af4448c" - ], - "columns": { - "7ca1ac0b-2060-4431-a4b9-ec470af4448c": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - }, - "b284ea2a-a2cd-4d08-bf44-fc73c08b5694": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Domains", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "7ca1ac0b-2060-4431-a4b9-ec470af4448c", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "threat.indicator.url.domain" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "columns": [ - { - "columnId": "7ca1ac0b-2060-4431-a4b9-ec470af4448c", - "isTransposed": false - }, - { - "columnId": "b284ea2a-a2cd-4d08-bf44-fc73c08b5694", - "isTransposed": false - } - ], - "layerId": "db89074c-e1fe-4091-bdb1-e42a36e82bac", - "layerType": "data" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsDatatable" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 16, - "i": "8994501a-1550-4cf2-857f-d6b6491ffb62", - "w": 18, - "x": 7, - "y": 23 - }, - "panelIndex": "8994501a-1550-4cf2-857f-d6b6491ffb62", - "title": "Most Popular Domains [Logs MISP]", - "type": "lens", - "version": "8.0.0-SNAPSHOT" - } - ], - "timeRestore": false, - "title": "[Logs MISP] URLs", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c7c6e8dc-b649-434c-9650-8a1564d4d676:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c7c6e8dc-b649-434c-9650-8a1564d4d676:indexpattern-datasource-layer-88a112e1-6da1-49d3-9177-19f98280c200", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "73a752f9-bde5-4396-8ede-e9e77a37182d:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "73a752f9-bde5-4396-8ede-e9e77a37182d:indexpattern-datasource-layer-a6fa56f8-32fa-405d-8771-dade4fe75d62", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fda93ed1-72f0-4489-80b7-9e69d14f30aa:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fda93ed1-72f0-4489-80b7-9e69d14f30aa:indexpattern-datasource-layer-9fa49c4c-5544-472d-afce-e51d6a5687fe", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d:indexpattern-datasource-layer-0f63318a-a857-4d83-89ce-a94e2242b79e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac", - "type": "index-pattern" - }, - { - "id": "ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294", - "name": "tag-ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/test/packages/with-logstash/ti_misp/kibana/dashboard/ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294.json b/test/packages/with-logstash/ti_misp/kibana/dashboard/ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294.json deleted file mode 100644 index 127c7707d2..0000000000 --- a/test/packages/with-logstash/ti_misp/kibana/dashboard/ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294.json +++ /dev/null @@ -1,665 +0,0 @@ -{ - "attributes": { - "description": "Dashboard providing statistics about indicators ingested from the MISP integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.dataset", - "negate": false, - "params": { - "query": "ti_misp.threat" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "ti_misp.threat" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "event.kind", - "negate": false, - "params": { - "query": "enrichment" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.kind": "enrichment" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "optionsJSON": { - "hidePanelTitles": false, - "syncColors": false, - "useMargins": true - }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": true, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "description": "", - "params": { - "fontSize": 12, - "markdown": "**Navigation**\n\n**[MISP Overview (This Page)](/app/dashboards#/view/ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294)** \n[MISP Files](/app/dashboards#/view/ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877) \n[MISP URLs](/app/dashboards#/view/ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877) \n\n[Integrations Page](/app/integrations/detail/ti_misp/overview)\n\n\n**Overview**\n\nThis dashboard is a health overview related to the MISP integration.\n\nThe dashboard is made to provide general statistics and show the health of the ingestion of indicators from MISP. \n\nIt shows ingestion rates and provides a few filters for drilling down to specific indicator types retrieved from MISP.", - "openLinksInNewTab": false - }, - "title": "Overview Textbox [Logs AbuseCH]", - "type": "markdown", - "uiState": {} - } - }, - "gridData": { - "h": 36, - "i": "ce31769b-ab7b-48c0-8869-bdf0c943d013", - "w": 7, - "x": 0, - "y": 0 - }, - "panelIndex": "ce31769b-ab7b-48c0-8869-bdf0c943d013", - "type": "visualization", - "version": "8.0.0-SNAPSHOT" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "description": "", - "id": "", - "params": { - "controls": [ - { - "fieldName": "threat.indicator.provider", - "id": "1641204819355", - "indexPatternRefName": "control_8fd54b49-92c1-4b90-a0c9-c1cedaa137b5_0_index_pattern", - "label": "Indicator Provider", - "options": { - "dynamicOptions": true, - "multiselect": true, - "order": "desc", - "size": 5, - "type": "terms" - }, - "parent": "", - "type": "list" - }, - { - "fieldName": "threat.indicator.type", - "id": "1641204843291", - "indexPatternRefName": "control_8fd54b49-92c1-4b90-a0c9-c1cedaa137b5_1_index_pattern", - "label": "Indicator Type", - "options": { - "dynamicOptions": true, - "multiselect": true, - "order": "desc", - "size": 5, - "type": "terms" - }, - "parent": "", - "type": "list" - } - ], - "pinFilters": false, - "updateFiltersOnChange": false, - "useTimeFilter": false - }, - "title": "", - "type": "input_control_vis", - "uiState": {} - } - }, - "gridData": { - "h": 8, - "i": "8fd54b49-92c1-4b90-a0c9-c1cedaa137b5", - "w": 26, - "x": 7, - "y": 0 - }, - "panelIndex": "8fd54b49-92c1-4b90-a0c9-c1cedaa137b5", - "title": "Indicator Selector [Logs MISP]", - "type": "visualization", - "version": "8.0.0-SNAPSHOT" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-d87f35ee-570a-488b-b618-6ada39b49df4", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "d87f35ee-570a-488b-b618-6ada39b49df4": { - "columnOrder": [ - "427cdedd-a93a-4f8e-93ce-f872b3809ae4", - "d0f21543-9576-400e-aeca-babc5407d3a7" - ], - "columns": { - "427cdedd-a93a-4f8e-93ce-f872b3809ae4": { - "dataType": "string", - "isBucketed": true, - "label": "Top values of threat.indicator.type", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "d0f21543-9576-400e-aeca-babc5407d3a7", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "threat.indicator.type" - }, - "d0f21543-9576-400e-aeca-babc5407d3a7": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "groups": [ - "427cdedd-a93a-4f8e-93ce-f872b3809ae4" - ], - "layerId": "d87f35ee-570a-488b-b618-6ada39b49df4", - "layerType": "data", - "legendDisplay": "default", - "metric": "d0f21543-9576-400e-aeca-babc5407d3a7", - "nestedLegend": false, - "numberDisplay": "percent" - } - ], - "shape": "donut" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsPie" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 22, - "i": "793c8c41-d3d3-4196-a0e6-aaac8bc1572b", - "w": 15, - "x": 33, - "y": 0 - }, - "panelIndex": "793c8c41-d3d3-4196-a0e6-aaac8bc1572b", - "title": "Total Indicators per type [Logs MISP]", - "type": "lens", - "version": "8.0.0-SNAPSHOT" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-0491a750-3050-47a9-bb99-c45984d3d28c", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "0491a750-3050-47a9-bb99-c45984d3d28c": { - "columnOrder": [ - "fb93835d-e6a1-49b4-8911-ae15b081da8a" - ], - "columns": { - "fb93835d-e6a1-49b4-8911-ae15b081da8a": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Indicators", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "fb93835d-e6a1-49b4-8911-ae15b081da8a", - "layerId": "0491a750-3050-47a9-bb99-c45984d3d28c", - "layerType": "data" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 8, - "i": "7cb42a10-64fd-454a-8669-f579fa2d0850", - "w": 6, - "x": 7, - "y": 8 - }, - "panelIndex": "7cb42a10-64fd-454a-8669-f579fa2d0850", - "title": "Total Indicators [Logs MISP]", - "type": "lens", - "version": "8.0.0-SNAPSHOT" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-471f2a97-fb44-41a1-a5a0-2f68b9140ef5", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "471f2a97-fb44-41a1-a5a0-2f68b9140ef5": { - "columnOrder": [ - "16691165-3643-4658-bfc8-4bba834f2789", - "3e085a0a-8386-4f64-a629-44ae27b18878" - ], - "columns": { - "16691165-3643-4658-bfc8-4bba834f2789": { - "dataType": "string", - "isBucketed": true, - "label": "Top values of threat.indicator.provider", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "3e085a0a-8386-4f64-a629-44ae27b18878", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "threat.indicator.provider" - }, - "3e085a0a-8386-4f64-a629-44ae27b18878": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "accessors": [ - "3e085a0a-8386-4f64-a629-44ae27b18878" - ], - "layerId": "471f2a97-fb44-41a1-a5a0-2f68b9140ef5", - "layerType": "data", - "position": "top", - "seriesType": "bar_horizontal", - "showGridlines": false, - "splitAccessor": "16691165-3643-4658-bfc8-4bba834f2789" - } - ], - "legend": { - "isVisible": true, - "position": "right", - "showSingleSeries": true - }, - "preferredSeriesType": "bar_horizontal", - "title": "Empty XY chart", - "valueLabels": "hide", - "valuesInLegend": true, - "yLeftExtent": { - "mode": "full" - }, - "yRightExtent": { - "mode": "full" - } - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 14, - "i": "f5937489-643e-4254-819d-b1290b4b74c2", - "w": 20, - "x": 13, - "y": 8 - }, - "panelIndex": "f5937489-643e-4254-819d-b1290b4b74c2", - "title": "Total Indicators per Provider [Logs MISP]", - "type": "lens", - "version": "8.0.0-SNAPSHOT" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7": { - "columnOrder": [ - "4d7ca99c-8a53-4a7f-96db-409251c0e391", - "b7f07f7c-1477-4f83-95f5-ad5cdc3a314b", - "0726d151-9edf-41cb-ab52-473ab27cf8b7" - ], - "columns": { - "0726d151-9edf-41cb-ab52-473ab27cf8b7": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - }, - "4d7ca99c-8a53-4a7f-96db-409251c0e391": { - "dataType": "string", - "isBucketed": true, - "label": "Top values of event.dataset", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "0726d151-9edf-41cb-ab52-473ab27cf8b7", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "size": 3 - }, - "scale": "ordinal", - "sourceField": "event.dataset" - }, - "b7f07f7c-1477-4f83-95f5-ad5cdc3a314b": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "interval": "30s" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "curveType": "CURVE_MONOTONE_X", - "fittingFunction": "Zero", - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "0726d151-9edf-41cb-ab52-473ab27cf8b7" - ], - "layerId": "c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "4d7ca99c-8a53-4a7f-96db-409251c0e391", - "xAccessor": "b7f07f7c-1477-4f83-95f5-ad5cdc3a314b" - } - ], - "legend": { - "isInside": false, - "isVisible": true, - "position": "bottom", - "shouldTruncate": false, - "showSingleSeries": true - }, - "preferredSeriesType": "line", - "title": "Empty XY chart", - "valueLabels": "hide", - "valuesInLegend": false, - "xTitle": "Date", - "yLeftExtent": { - "mode": "full" - }, - "yRightExtent": { - "mode": "full" - }, - "yTitle": "Total Indicators" - } - }, - "title": "Indicators ingested per Datastream [Logs AbuseCH]", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 14, - "i": "77a4acf0-c56d-420f-b50b-8e5b082931c9", - "w": 41, - "x": 7, - "y": 22 - }, - "panelIndex": "77a4acf0-c56d-420f-b50b-8e5b082931c9", - "title": "Indicators ingested [Logs MISP]", - "type": "lens", - "version": "8.0.0-SNAPSHOT" - } - ], - "timeRestore": false, - "title": "[Logs MISP] Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8fd54b49-92c1-4b90-a0c9-c1cedaa137b5:control_8fd54b49-92c1-4b90-a0c9-c1cedaa137b5_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8fd54b49-92c1-4b90-a0c9-c1cedaa137b5:control_8fd54b49-92c1-4b90-a0c9-c1cedaa137b5_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "793c8c41-d3d3-4196-a0e6-aaac8bc1572b:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "793c8c41-d3d3-4196-a0e6-aaac8bc1572b:indexpattern-datasource-layer-d87f35ee-570a-488b-b618-6ada39b49df4", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "7cb42a10-64fd-454a-8669-f579fa2d0850:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "7cb42a10-64fd-454a-8669-f579fa2d0850:indexpattern-datasource-layer-0491a750-3050-47a9-bb99-c45984d3d28c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f5937489-643e-4254-819d-b1290b4b74c2:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f5937489-643e-4254-819d-b1290b4b74c2:indexpattern-datasource-layer-471f2a97-fb44-41a1-a5a0-2f68b9140ef5", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "77a4acf0-c56d-420f-b50b-8e5b082931c9:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "77a4acf0-c56d-420f-b50b-8e5b082931c9:indexpattern-datasource-layer-c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7", - "type": "index-pattern" - }, - { - "id": "ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294", - "name": "tag-ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/test/packages/with-logstash/ti_misp/kibana/tag/ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294.json b/test/packages/with-logstash/ti_misp/kibana/tag/ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294.json deleted file mode 100644 index b202c82473..0000000000 --- a/test/packages/with-logstash/ti_misp/kibana/tag/ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "attributes": { - "color": "#6092C0", - "description": "", - "name": "MISP" - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294", - "migrationVersion": { - "tag": "8.0.0" - }, - "references": [], - "type": "tag" -} \ No newline at end of file diff --git a/test/packages/with-logstash/ti_misp/kibana/tags.yml b/test/packages/with-logstash/ti_misp/kibana/tags.yml deleted file mode 100644 index 47f20a8f55..0000000000 --- a/test/packages/with-logstash/ti_misp/kibana/tags.yml +++ /dev/null @@ -1,4 +0,0 @@ -- text: Security Solution - asset_types: - - dashboard - - search diff --git a/test/packages/with-logstash/ti_misp/manifest.yml b/test/packages/with-logstash/ti_misp/manifest.yml index 69a00201dc..9c687d53ca 100644 --- a/test/packages/with-logstash/ti_misp/manifest.yml +++ b/test/packages/with-logstash/ti_misp/manifest.yml @@ -1,12 +1,13 @@ name: ti_misp title: MISP -version: "1.22.0" +version: "1.24.0" description: Ingest threat intelligence indicators from MISP platform with Elastic Agent. type: integration -format_version: 2.11.0 +format_version: "3.0.0" categories: ["security", "threat_intel"] conditions: - kibana.version: ^8.7.1 + kibana: + version: ^8.7.1 icons: - src: /img/misp.svg title: MISP @@ -22,3 +23,4 @@ policy_templates: description: "Ingest threat intelligence indicators from MISP platform with Elastic Agent." owner: github: elastic/security-external-integrations + type: elastic From f4c02c316151300efe9406bdb8300affadb5003a Mon Sep 17 00:00:00 2001 From: Bharat Pasupula Date: Thu, 28 Sep 2023 21:54:53 +0200 Subject: [PATCH 16/17] Fix pr comments --- docs/howto/system_testing.md | 6 +++--- internal/testrunner/runners/system/runner.go | 20 ++++++++------------ 2 files changed, 11 insertions(+), 15 deletions(-) diff --git a/docs/howto/system_testing.md b/docs/howto/system_testing.md index 8000118e99..8831f95da1 100644 --- a/docs/howto/system_testing.md +++ b/docs/howto/system_testing.md @@ -581,20 +581,20 @@ Example `expected_errors` file content: ### System testing with logstash -It is possible to test packages that output to logstash which in turn publishes events to elasticsearch. +It is possible to test packages that output to Logstash which in turn publishes events to Elasticsearch. A profile config option `stack.logstash_enabled` has been added to profile configuration. When this profile config is enabled - Logstash output is added in Fleet with id `fleet-logstash-output` - Logstash service is created in the stack which reads from `elastic-agent` input and outputs to `elasticsearch`. -- Logstash is also configured with `elastic-integration` plugin. Once configured to point to an elasticsearch cluster, this filter will detect which ingest pipeline (if any) should be executed for each event, auto-detecting the event’s data-stream and its default pipeline. +- Logstash is also configured with `elastic-integration` plugin. Once configured to point to an Elasticsearch cluster, this filter will detect which ingest pipeline (if any) should be executed for each event, auto-detecting the event’s data-stream and its default pipeline. A sample workflow would look like: - You can [create](https://github.com/elastic/elastic-package#elastic-package-profiles-create) a new profile / [use existing profile](https://github.com/elastic/elastic-package#elastic-package-profiles-use) to test this. - Navigate to `~/.elastic-package/profiles//`. - Rename `config.yml.example` to `config.yml` [ If config is not used before ] -- Uncomment the line `# stack.logstash_enabled: true` +- Add the following line (or uncomment if present) `stack.logstash_enabled: true` - Run `elastic-package stack up -d -v` - Navigate to the package folder in integrations and run `elastic-package test system -v` diff --git a/internal/testrunner/runners/system/runner.go b/internal/testrunner/runners/system/runner.go index e6a567be8b..dc11de5128 100644 --- a/internal/testrunner/runners/system/runner.go +++ b/internal/testrunner/runners/system/runner.go @@ -517,20 +517,16 @@ func (r *runner) runTest(config *testConfig, ctxt servicedeployer.ServiceContext logger.Debug("creating test policy...") testTime := time.Now().Format("20060102T15:04:05Z") - // Assign the data_output_id to the agent policy to configure the output to logstash or a default as elasticsearch. The values are inferred from stack/_static/kibana.yml.tmpl - var elasticAgentDataOutputId string - if strings.Compare(r.options.Profile.Config("stack.logstash_enabled", "false"), "true") == 0 { - elasticAgentDataOutputId = "fleet-logstash-output" - } else { - elasticAgentDataOutputId = "fleet-default-output" - } - p := kibana.Policy{ - Name: fmt.Sprintf("ep-test-system-%s-%s-%s", r.options.TestFolder.Package, r.options.TestFolder.DataStream, testTime), - Description: fmt.Sprintf("test policy created by elastic-package test system for data stream %s/%s", r.options.TestFolder.Package, r.options.TestFolder.DataStream), - Namespace: "ep", - DataOutputID: elasticAgentDataOutputId, + Name: fmt.Sprintf("ep-test-system-%s-%s-%s", r.options.TestFolder.Package, r.options.TestFolder.DataStream, testTime), + Description: fmt.Sprintf("test policy created by elastic-package test system for data stream %s/%s", r.options.TestFolder.Package, r.options.TestFolder.DataStream), + Namespace: "ep", } + // Assign the data_output_id to the agent policy to configure the output to logstash. The value is inferred from stack/_static/kibana.yml.tmpl + if r.options.Profile.Config("stack.logstash_enabled", "false") == "true" { + p.DataOutputID = "fleet-logstash-output" + } + policy, err := r.options.KibanaClient.CreatePolicy(p) if err != nil { return result.WithError(fmt.Errorf("could not create test policy: %w", err)) From 4e00a69ed1d40155cb8de7d98647ac436ec629ae Mon Sep 17 00:00:00 2001 From: Bharat Pasupula Date: Fri, 29 Sep 2023 11:09:42 +0200 Subject: [PATCH 17/17] Add logstash custom image details to docs --- docs/howto/custom_images.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/howto/custom_images.md b/docs/howto/custom_images.md index fef71777fa..67fb6b6096 100644 --- a/docs/howto/custom_images.md +++ b/docs/howto/custom_images.md @@ -20,6 +20,7 @@ The current images that could be overwritten are: | Elasticsearch | ELASTICSEARCH_IMAGE_REF_OVERRIDE | elasticsearch | | Kibana | KIBANA_IMAGE_REF_OVERRIDE | kibana | | Elastic Agent | ELASTIC_AGENT_IMAGE_REF_OVERRIDE | elastic-agent | +| Logstash | LOGSTASH_IMAGE_REF_OVERRIDE | logstash | For the following two examples, it will be used as example overwriting elastic-agent image.