forked from elastic/integrations
/
manifest.yml
139 lines (137 loc) · 4.97 KB
/
manifest.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
type: logs
title: MISP
streams:
- input: httpjson
vars:
- name: url
type: text
title: MISP URL
multi: false
required: true
show_user: true
default: https://mispserver.com
description: The URL or hostname of the MISP instance.
- name: api_token
type: password
title: MISP API Token
multi: false
required: true
show_user: true
description: The API token used to access the MISP instance.
secret: true
- name: limit
type: text
title: Attributes Limit
multi: false
required: true
show_user: true
default: 10
description: Configures how many attributes are returned for each API request.
- name: initial_interval
type: text
title: Initial interval
multi: false
required: true
show_user: true
default: 120h
description: How far back to look for indicators the first time the agent is started. Supported units for this parameter are h/m/s.
- name: ioc_expiration_duration
type: text
title: IOC Expiration Duration
multi: false
required: true
show_user: true
default: "90d"
description: >-
Enforces all IOCs to expire after this duration. This setting is required to avoid "orphaned" IOCs that never expire. Use [Elasticsearch time units](https://www.elastic.co/guide/en/elasticsearch/reference/current/api-conventions.html#time-units) in days, hours, or minutes (e.g 10d)
- name: http_client_timeout
type: text
title: HTTP Client Timeout
description: Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h.
multi: false
required: false
show_user: false
default: 30s
- name: filters
type: yaml
title: MISP API Filters
multi: false
required: false
show_user: false
default: |
#type:
# OR:
# - ip-src
# - ip-dst
#tags:
# NOT:
# - tlp-red
#decayingModel: 2
description: Filters documented at [MISP API Documentation](https://www.circl.lu/doc/misp/automation/#search) is supported.
- name: proxy_url
type: text
title: Proxy URL
multi: false
required: false
show_user: false
description: URL to proxy connections in the form of http\[s\]://<user>:<password>@<server name/ip>:<port>
- name: interval
type: text
title: Interval
description: Interval at which the logs will be pulled. Supported units for this parameter are h/m/s.
multi: false
required: true
show_user: true
default: 10m
- name: enforce_warning_list
type: bool
title: Enforce Warning List
description: Allows filtering on events with [MISP Warning lists](https://www.circl.lu/doc/misp/warninglists/#misp-warning-lists-introduction-the-dilemma-of-false-positive). Commonly used to filter out possible false positives.
multi: false
required: false
show_user: true
default: false
- name: ssl
type: yaml
title: SSL
multi: false
required: false
show_user: false
default: |
# verification_mode: none
- name: tags
type: text
title: Tags
multi: true
required: true
show_user: false
default:
- forwarded
- misp-threat_attributes
- name: preserve_original_event
required: true
show_user: true
title: Preserve original event
description: Preserves a raw copy of the original event, added to the field `event.original`
type: bool
multi: false
default: false
- name: processors
type: yaml
title: Processors
multi: false
required: false
show_user: false
description: >
Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
- name: enable_request_tracer
type: bool
title: Enable request tracing
multi: false
required: false
show_user: false
description: >
The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details.
template_path: httpjson.yml.hbs
title: MISP
description: Collect indicators from the MISP Attributes API