diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 4476737e72a0..1e969796555d 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -145017,7 +145017,7 @@ type: keyword -- -*`threatintel.indicator.geo.geo.city_name`*:: +*`threatintel.indicator.geo.city_name`*:: + -- City name. @@ -145028,7 +145028,7 @@ example: Montreal -- -*`threatintel.indicator.geo.geo.country_iso_code`*:: +*`threatintel.indicator.geo.country_iso_code`*:: + -- Country ISO code. @@ -145039,7 +145039,7 @@ example: CA -- -*`threatintel.indicator.geo.geo.country_name`*:: +*`threatintel.indicator.geo.country_name`*:: + -- Country name. @@ -145050,7 +145050,7 @@ example: Canada -- -*`threatintel.indicator.geo.geo.location`*:: +*`threatintel.indicator.geo.location`*:: + -- Longitude and latitude. @@ -145061,7 +145061,7 @@ example: { "lon": -73.614830, "lat": 45.505918 } -- -*`threatintel.indicator.geo.geo.region_iso_code`*:: +*`threatintel.indicator.geo.region_iso_code`*:: + -- Region ISO code. @@ -145072,7 +145072,7 @@ example: CA-QC -- -*`threatintel.indicator.geo.geo.region_name`*:: +*`threatintel.indicator.geo.region_name`*:: + -- Region name. @@ -145142,6 +145142,16 @@ type: keyword The file's sha256 hash, if available. +type: keyword + +-- + +*`threatintel.indicator.file.hash.sha384`*:: ++ +-- +The file's sha384 hash, if available. + + type: keyword -- @@ -145159,7 +145169,7 @@ type: keyword *`threatintel.indicator.file.type`*:: + -- -The file type +The file type. type: keyword @@ -145169,7 +145179,7 @@ type: keyword *`threatintel.indicator.file.size`*:: + -- -The file's total size +The file's total size. type: long @@ -145179,7 +145189,27 @@ type: long *`threatintel.indicator.file.name`*:: + -- -The file's name +The file's name. + + +type: keyword + +-- + +*`threatintel.indicator.file.extension`*:: ++ +-- +The file's extension. + + +type: keyword + +-- + +*`threatintel.indicator.file.mime_type`*:: ++ +-- +The file's MIME type. type: keyword @@ -145374,6 +145404,16 @@ example: *.elastic.co -- +*`threatintel.indicator.signature`*:: ++ +-- +Malware family of sample (if available). + + +type: keyword + +-- + [float] === abusemalware @@ -145661,6 +145701,105 @@ type: keyword The STIX reference object. +type: keyword + +-- + +[float] +=== malwarebazaar + +Fields for Malware Bazaar Threat Intel + + + +*`threatintel.malwarebazaar.file_type`*:: ++ +-- +File type guessed by Malware Bazaar. + + +type: keyword + +-- + +*`threatintel.malwarebazaar.signature`*:: ++ +-- +Malware familiy. + + +type: keyword + +-- + +*`threatintel.malwarebazaar.tags`*:: ++ +-- +A list of tags associated with the queried malware sample. + + +type: keyword + +-- + + +*`threatintel.malwarebazaar.intelligence.downloads`*:: ++ +-- +Number of downloads from MalwareBazaar. + + +type: long + +-- + +*`threatintel.malwarebazaar.intelligence.uploads`*:: ++ +-- +Number of uploads from MalwareBazaar. + + +type: long + +-- + + +*`threatintel.malwarebazaar.intelligence.mail.Generic`*:: ++ +-- +Malware seen in generic spam traffic. + + +type: keyword + +-- + +*`threatintel.malwarebazaar.intelligence.mail.IT`*:: ++ +-- +Malware seen in IT spam traffic. + + +type: keyword + +-- + +*`threatintel.malwarebazaar.anonymous`*:: ++ +-- +Identifies if the sample was submitted anonymously. + + +type: long + +-- + +*`threatintel.malwarebazaar.code_sign`*:: ++ +-- +Code signing information for the sample. + + type: keyword -- diff --git a/filebeat/docs/images/filebeat-threatintel-malware-bazaar.png b/filebeat/docs/images/filebeat-threatintel-malware-bazaar.png new file mode 100644 index 000000000000..601132ad9b9b Binary files /dev/null and b/filebeat/docs/images/filebeat-threatintel-malware-bazaar.png differ diff --git a/filebeat/docs/modules/threatintel.asciidoc b/filebeat/docs/modules/threatintel.asciidoc index f9efb4af87cc..ca57836da1f0 100644 --- a/filebeat/docs/modules/threatintel.asciidoc +++ b/filebeat/docs/modules/threatintel.asciidoc @@ -20,11 +20,13 @@ Processors]. The related threat intel attribute that is meant to be used for matching incoming source data is stored under the `threatintel.indicator.*` fields. -The available filesets are: +[float] +=== The available filesets are: -* `abuseurl`: Supports URL entities from Abuse.ch. -* `abusemalware`: Supports Malware/Payload entities from Abuse.ch. +* `abuseurl`: Supports gathering URL entities from Abuse.ch. +* `abusemalware`: Supports gathering Malware/Payload entities from Abuse.ch. * `misp`: Supports gathering threat intel attributes from MISP (replaces MISP module). +* `malwarebazaar`: Supports gathering Malware/Payload entities from Malware Bazaar. * `otx`: Supports gathering threat intel attributes from AlientVault OTX. * `anomali`: Supports gathering threat intel attributes from Anomali. @@ -108,6 +110,60 @@ Abuse.ch Malware Threat Intel is mapped to the following ECS fields. | file_size | threatintel.indicator.file.size |================================================================ +[float] +==== `malwarebazaar` fileset settings + +This fileset contacts the Malware Bazaar API and fetches all new malicious hashes found +the last 10 minutes. + +To configure the module, please utilize the default URL unless specified as the +example below: + +[source,yaml] +---- +- module: threatintel + malwarebazaar: + enabled: true + var.input: httpjson + var.url: https://mb-api.abuse.ch/api/v1/ + var.interval: 10m +---- + +include::../include/var-paths.asciidoc[] + +*`var.url`*:: + +The URL of the API endpoint to connect with. + +*`var.interval`*:: + +How often the API is polled for updated information. + +Malware Bazaar Threat Intel is mapped to the following ECS fields. + +[options="header"] +|================================================================ +| Malware Threat IntelFields | ECS Fields +| md5_hash | threatintel.indicator.file.hash.md5 +| sha256_hash | threatintel.indicator.file.hash.sha256 +| tlsh | threatintel.indicator.file.hash.tlsh +| ssdeep | threatintel.indicator.file.hash.ssdeep +| imphash | threatintel.indicator.file.pe.imphash +| file_size | threatintel.indicator.file.size +| file_name | threatintel.indicator.file.name +| file_type_mime | threatintel.indicator.file.mime_type +| file_type | threatintel.indicator.file.type +| reporter | threatintel.indicator.provider +| origin_country | threatintel.indicator.geo.country_iso_code +| signature | threatintel.indicator.signature +| code_sign.subject_cn | threatintel.indicator.file.x509.subject.common_name +| code_sign.issuer_cn | threatintel.indicator.file.x509.issuer.common_name +| code_sign.algorithm | threatintel.indicator.file.x509.public_key_algorithm +| code_sign.valid_from | threatintel.indicator.file.x509.not_before +| code_sign.valid_to | threatintel.indicator.file.x509.not_after +| code_sign.serial_number | threatintel.indicator.file.x509.serial_number +|================================================================ + [float] ==== `misp` fileset settings diff --git a/filebeat/tests/system/test_modules.py b/filebeat/tests/system/test_modules.py index a81ef15610e7..760847c8189f 100644 --- a/filebeat/tests/system/test_modules.py +++ b/filebeat/tests/system/test_modules.py @@ -282,8 +282,10 @@ def clean_keys(obj): "threatintel.abuseurl", "threatintel.abusemalware", "threatintel.anomali", + "threatintel.malwarebazaar", "snyk.vulnerabilities", - "awsfargate.log" + "snyk.audit", + "awsfargate.log", } # dataset + log file pairs for which @timestamp is kept as an exception from above remove_timestamp_exception = { diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index 8d0ddda9143d..9c99836824d2 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -2151,6 +2151,18 @@ filebeat.modules: # The interval to poll the API for updates. var.interval: 10m + malwarebazaar: + enabled: true + + # Input used for ingesting threat intel data. + var.input: httpjson + + # The URL used for Threat Intel API calls. + var.url: https://mb-api.abuse.ch/api/v1/ + + # The interval to poll the API for updates. + var.interval: 10m + misp: enabled: true @@ -2170,7 +2182,7 @@ filebeat.modules: # Optional filters that can be applied to the API for filtering out results. This should support the majority of fields in a MISP context. # For examples please reference the filebeat module documentation. #var.filters: - # - threat_level: [4, 5] + # - threat_level: [4, 5] # - to_ids: true # How far back to look once the beat starts up for the first time, the value has to be in hours. Each request afterwards will filter on any event newer @@ -2206,6 +2218,8 @@ filebeat.modules: # The interval to poll the API for updates var.interval: 5m + +======= anomali: enabled: true diff --git a/x-pack/filebeat/module/snyk/vulnerabilities/test/snyk_vulns.ndjson.log-expected.json b/x-pack/filebeat/module/snyk/vulnerabilities/test/snyk_vulns.ndjson.log-expected.json index 9cd84ffb219f..12d7f8782450 100644 --- a/x-pack/filebeat/module/snyk/vulnerabilities/test/snyk_vulns.ndjson.log-expected.json +++ b/x-pack/filebeat/module/snyk/vulnerabilities/test/snyk_vulns.ndjson.log-expected.json @@ -1,5 +1,6 @@ [ { + "@timestamp": "2021-04-20T09:23:37.189Z", "event.dataset": "snyk.vulnerabilities", "event.module": "snyk", "event.timezone": "-02:00", @@ -99,6 +100,7 @@ "vulnerability.severity": "high" }, { + "@timestamp": "2021-04-20T09:23:37.189Z", "event.dataset": "snyk.vulnerabilities", "event.module": "snyk", "event.timezone": "-02:00", @@ -200,6 +202,7 @@ "vulnerability.severity": "high" }, { + "@timestamp": "2021-04-20T09:23:37.190Z", "event.dataset": "snyk.vulnerabilities", "event.module": "snyk", "event.timezone": "-02:00", @@ -295,6 +298,7 @@ "vulnerability.severity": "high" }, { + "@timestamp": "2021-04-20T09:23:37.190Z", "event.dataset": "snyk.vulnerabilities", "event.module": "snyk", "event.timezone": "-02:00", diff --git a/x-pack/filebeat/module/threatintel/_meta/config.yml b/x-pack/filebeat/module/threatintel/_meta/config.yml index 72a5df6377bc..f754cae2144a 100644 --- a/x-pack/filebeat/module/threatintel/_meta/config.yml +++ b/x-pack/filebeat/module/threatintel/_meta/config.yml @@ -23,6 +23,18 @@ # The interval to poll the API for updates. var.interval: 10m + malwarebazaar: + enabled: true + + # Input used for ingesting threat intel data. + var.input: httpjson + + # The URL used for Threat Intel API calls. + var.url: https://mb-api.abuse.ch/api/v1/ + + # The interval to poll the API for updates. + var.interval: 10m + misp: enabled: true @@ -42,7 +54,7 @@ # Optional filters that can be applied to the API for filtering out results. This should support the majority of fields in a MISP context. # For examples please reference the filebeat module documentation. #var.filters: - # - threat_level: [4, 5] + # - threat_level: [4, 5] # - to_ids: true # How far back to look once the beat starts up for the first time, the value has to be in hours. Each request afterwards will filter on any event newer @@ -78,6 +90,8 @@ # The interval to poll the API for updates var.interval: 5m + +======= anomali: enabled: true diff --git a/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc b/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc index 1be2a4fc8384..ffe41855e1b7 100644 --- a/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc @@ -15,11 +15,13 @@ Processors]. The related threat intel attribute that is meant to be used for matching incoming source data is stored under the `threatintel.indicator.*` fields. -The available filesets are: +[float] +=== The available filesets are: -* `abuseurl`: Supports URL entities from Abuse.ch. -* `abusemalware`: Supports Malware/Payload entities from Abuse.ch. +* `abuseurl`: Supports gathering URL entities from Abuse.ch. +* `abusemalware`: Supports gathering Malware/Payload entities from Abuse.ch. * `misp`: Supports gathering threat intel attributes from MISP (replaces MISP module). +* `malwarebazaar`: Supports gathering Malware/Payload entities from Malware Bazaar. * `otx`: Supports gathering threat intel attributes from AlientVault OTX. * `anomali`: Supports gathering threat intel attributes from Anomali. @@ -103,6 +105,60 @@ Abuse.ch Malware Threat Intel is mapped to the following ECS fields. | file_size | threatintel.indicator.file.size |================================================================ +[float] +==== `malwarebazaar` fileset settings + +This fileset contacts the Malware Bazaar API and fetches all new malicious hashes found +the last 10 minutes. + +To configure the module, please utilize the default URL unless specified as the +example below: + +[source,yaml] +---- +- module: threatintel + malwarebazaar: + enabled: true + var.input: httpjson + var.url: https://mb-api.abuse.ch/api/v1/ + var.interval: 10m +---- + +include::../include/var-paths.asciidoc[] + +*`var.url`*:: + +The URL of the API endpoint to connect with. + +*`var.interval`*:: + +How often the API is polled for updated information. + +Malware Bazaar Threat Intel is mapped to the following ECS fields. + +[options="header"] +|================================================================ +| Malware Threat IntelFields | ECS Fields +| md5_hash | threatintel.indicator.file.hash.md5 +| sha256_hash | threatintel.indicator.file.hash.sha256 +| tlsh | threatintel.indicator.file.hash.tlsh +| ssdeep | threatintel.indicator.file.hash.ssdeep +| imphash | threatintel.indicator.file.pe.imphash +| file_size | threatintel.indicator.file.size +| file_name | threatintel.indicator.file.name +| file_type_mime | threatintel.indicator.file.mime_type +| file_type | threatintel.indicator.file.type +| reporter | threatintel.indicator.provider +| origin_country | threatintel.indicator.geo.country_iso_code +| signature | threatintel.indicator.signature +| code_sign.subject_cn | threatintel.indicator.file.x509.subject.common_name +| code_sign.issuer_cn | threatintel.indicator.file.x509.issuer.common_name +| code_sign.algorithm | threatintel.indicator.file.x509.public_key_algorithm +| code_sign.valid_from | threatintel.indicator.file.x509.not_before +| code_sign.valid_to | threatintel.indicator.file.x509.not_after +| code_sign.serial_number | threatintel.indicator.file.x509.serial_number +|================================================================ + [float] ==== `misp` fileset settings diff --git a/x-pack/filebeat/module/threatintel/_meta/fields.yml b/x-pack/filebeat/module/threatintel/_meta/fields.yml index c399b21ec66b..48222e31ebdc 100644 --- a/x-pack/filebeat/module/threatintel/_meta/fields.yml +++ b/x-pack/filebeat/module/threatintel/_meta/fields.yml @@ -162,31 +162,31 @@ - name: indicator.geo type: group fields: - - name: geo.city_name + - name: city_name type: keyword ignore_above: 1024 description: City name. example: Montreal - - name: geo.country_iso_code + - name: country_iso_code type: keyword ignore_above: 1024 description: Country ISO code. example: CA - - name: geo.country_name + - name: country_name type: keyword ignore_above: 1024 description: Country name. example: Canada - - name: geo.location + - name: location type: geo_point description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' - - name: geo.region_iso_code + - name: region_iso_code type: keyword ignore_above: 1024 description: Region ISO code. example: CA-QC - - name: geo.region_name + - name: region_name type: keyword ignore_above: 1024 description: Region name. @@ -225,6 +225,10 @@ type: keyword description: > The file's sha256 hash, if available. + - name: sha384 + type: keyword + description: > + The file's sha384 hash, if available. - name: sha512 type: keyword description: > @@ -233,15 +237,23 @@ type: keyword ignore_above: 1024 description: > - The file type + The file type. - name: size type: long description: > - The file's total size + The file's total size. - name: name type: keyword description: > - The file's name + The file's name. + - name: extension + type: keyword + description: > + The file's extension. + - name: mime_type + type: keyword + description: > + The file's MIME type. - name: indicator.url type: group fields: @@ -362,4 +374,8 @@ description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. - example: '*.elastic.co' \ No newline at end of file + example: '*.elastic.co' + - name: indicator.signature + type: keyword + description: > + Malware family of sample (if available). diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/dashboard/Filebeat-threatintel-malwarebazaar.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/dashboard/Filebeat-threatintel-malwarebazaar.json new file mode 100644 index 000000000000..3cbc94aa6c0f --- /dev/null +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/dashboard/Filebeat-threatintel-malwarebazaar.json @@ -0,0 +1,2566 @@ +{ + "objects": [ + { + "attributes": { + "description": "Malware Bazaar indicators ingested by the threat intel Filebeat module.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 18, + "i": "1083ca13-ad6f-4814-8fbf-81b6e6e699ce", + "w": 8, + "x": 0, + "y": 0 + }, + "panelIndex": "1083ca13-ad6f-4814-8fbf-81b6e6e699ce", + "panelRefName": "panel_0", + "version": "7.11.1" + }, + { + "embeddableConfig": { + "enhancements": {}, + "vis": { + "params": { + "colWidth": [ + { + "colIndex": 0, + "width": 215.66666666666663 + } + ] + } + } + }, + "gridData": { + "h": 18, + "i": "e5a1ac0c-48a9-445e-becf-865607f990e5", + "w": 8, + "x": 8, + "y": 0 + }, + "panelIndex": "e5a1ac0c-48a9-445e-becf-865607f990e5", + "panelRefName": "panel_1", + "version": "7.11.1" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 18, + "i": "d3b51c89-ac94-4972-a47e-171a0ae635c2", + "w": 7, + "x": 16, + "y": 0 + }, + "panelIndex": "d3b51c89-ac94-4972-a47e-171a0ae635c2", + "panelRefName": "panel_2", + "version": "7.11.1" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 18, + "i": "04c92d8e-6022-4734-96a2-75c51779da75", + "w": 14, + "x": 23, + "y": 0 + }, + "panelIndex": "04c92d8e-6022-4734-96a2-75c51779da75", + "panelRefName": "panel_3", + "version": "7.11.1" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 18, + "i": "0ba44fdb-d494-45ea-8890-1b9eb4e07e44", + "w": 11, + "x": 37, + "y": 0 + }, + "panelIndex": "0ba44fdb-d494-45ea-8890-1b9eb4e07e44", + "panelRefName": "panel_4", + "version": "7.11.1" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hiddenLayers": [], + "isLayerTOCOpen": true, + "mapCenter": { + "lat": 19.94277, + "lon": 0, + "zoom": 1.08 + }, + "openTOCDetails": [] + }, + "gridData": { + "h": 18, + "i": "f0c69f9f-856b-4a66-ac07-6f4f1836743e", + "w": 27, + "x": 0, + "y": 18 + }, + "panelIndex": "f0c69f9f-856b-4a66-ac07-6f4f1836743e", + "panelRefName": "panel_5", + "version": "7.11.1" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 18, + "i": "30bc1259-fae6-4806-a4f7-de4e15a57599", + "w": 12, + "x": 27, + "y": 18 + }, + "panelIndex": "30bc1259-fae6-4806-a4f7-de4e15a57599", + "panelRefName": "panel_6", + "version": "7.11.1" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 18, + "i": "3e41e9e7-2d9a-44ef-9092-3e14fc07f9ec", + "w": 9, + "x": 39, + "y": 18 + }, + "panelIndex": "3e41e9e7-2d9a-44ef-9092-3e14fc07f9ec", + "panelRefName": "panel_7", + "version": "7.11.1" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 18, + "i": "ac98b880-f1a9-4682-8438-38058275209e", + "w": 11, + "x": 0, + "y": 36 + }, + "panelIndex": "ac98b880-f1a9-4682-8438-38058275209e", + "panelRefName": "panel_8", + "version": "7.11.1" + }, + { + "embeddableConfig": { + "enhancements": {}, + "vis": { + "params": { + "colWidth": [ + { + "colIndex": 0, + "width": 661.6666666666666 + } + ] + } + } + }, + "gridData": { + "h": 18, + "i": "0086d444-b5bf-4330-bdc2-01aa8f7c06db", + "w": 16, + "x": 11, + "y": 36 + }, + "panelIndex": "0086d444-b5bf-4330-bdc2-01aa8f7c06db", + "panelRefName": "panel_9", + "version": "7.11.1" + }, + { + "embeddableConfig": { + "enhancements": {}, + "table": null, + "vis": { + "params": { + "colWidth": [ + { + "colIndex": 0, + "width": 944.6666666666666 + } + ] + } + } + }, + "gridData": { + "h": 18, + "i": "0d852939-66e7-4702-aeb3-886d3ae98e90", + "w": 21, + "x": 27, + "y": 36 + }, + "panelIndex": "0d852939-66e7-4702-aeb3-886d3ae98e90", + "panelRefName": "panel_10", + "version": "7.11.1" + }, + { + "embeddableConfig": { + "enhancements": {}, + "vis": { + "params": { + "colWidth": [ + { + "colIndex": 0, + "width": 395.66666666666663 + } + ] + } + } + }, + "gridData": { + "h": 18, + "i": "79426cc6-6f0b-4403-be33-77fe1c40656f", + "w": 11, + "x": 0, + "y": 54 + }, + "panelIndex": "79426cc6-6f0b-4403-be33-77fe1c40656f", + "panelRefName": "panel_11", + "version": "7.11.1" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 18, + "i": "4394a033-cccf-46a6-83a6-ae5598fe1198", + "w": 15, + "x": 11, + "y": 54 + }, + "panelIndex": "4394a033-cccf-46a6-83a6-ae5598fe1198", + "panelRefName": "panel_12", + "version": "7.11.1" + }, + { + "embeddableConfig": { + "enhancements": {}, + "vis": { + "params": { + "colWidth": [ + { + "colIndex": 0, + "width": 562.6666666666666 + } + ] + } + } + }, + "gridData": { + "h": 18, + "i": "f09ad2ef-d681-44bf-834e-b5c85c39efe0", + "w": 14, + "x": 26, + "y": 54 + }, + "panelIndex": "f09ad2ef-d681-44bf-834e-b5c85c39efe0", + "panelRefName": "panel_13", + "version": "7.11.1" + }, + { + "embeddableConfig": { + "enhancements": {}, + "vis": { + "params": { + "colWidth": [ + { + "colIndex": 0, + "width": 309.66666666666663 + } + ] + } + } + }, + "gridData": { + "h": 18, + "i": "7907e86f-a77d-47a5-8d35-d0805449b925", + "w": 8, + "x": 40, + "y": 54 + }, + "panelIndex": "7907e86f-a77d-47a5-8d35-d0805449b925", + "panelRefName": "panel_14", + "version": "7.11.1" + } + ], + "timeRestore": false, + "title": "[Filebeat Threat Intel] Malware Bazaar", + "version": 1 + }, + "id": "dee7be00-82ab-11eb-ac13-d5ca87cb8fa2", + "migrationVersion": { + "dashboard": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "f91e9620-82a8-11eb-ac13-d5ca87cb8fa2", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "d22c1090-82a5-11eb-ac13-d5ca87cb8fa2", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "737d4f30-82ac-11eb-ac13-d5ca87cb8fa2", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "8b2a64a0-82a8-11eb-ac13-d5ca87cb8fa2", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "c7d5db50-82a8-11eb-ac13-d5ca87cb8fa2", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "63365b50-82aa-11eb-ac13-d5ca87cb8fa2", + "name": "panel_5", + "type": "map" + }, + { + "id": "bc4790b0-82aa-11eb-ac13-d5ca87cb8fa2", + "name": "panel_6", + "type": "visualization" + }, + { + "id": "dbd199d0-82aa-11eb-ac13-d5ca87cb8fa2", + "name": "panel_7", + "type": "visualization" + }, + { + "id": "7cbe5900-82ab-11eb-ac13-d5ca87cb8fa2", + "name": "panel_8", + "type": "visualization" + }, + { + "id": "786546d0-82a5-11eb-ac13-d5ca87cb8fa2", + "name": "panel_9", + "type": "visualization" + }, + { + "id": "7546ac40-82a6-11eb-ac13-d5ca87cb8fa2", + "name": "panel_10", + "type": "visualization" + }, + { + "id": "21ff17c0-82a6-11eb-ac13-d5ca87cb8fa2", + "name": "panel_11", + "type": "visualization" + }, + { + "id": "142fb6c0-82a8-11eb-ac13-d5ca87cb8fa2", + "name": "panel_12", + "type": "visualization" + }, + { + "id": "5b4877b0-82a6-11eb-ac13-d5ca87cb8fa2", + "name": "panel_13", + "type": "visualization" + }, + { + "id": "1d8002d0-82a7-11eb-ac13-d5ca87cb8fa2", + "name": "panel_14", + "type": "visualization" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "dashboard", + "updated_at": "2021-03-11T21:11:00.273Z", + "version": "WzEyNDAsMV0=" + }, + { + "attributes": { + "description": "Tags for Malware Bazaar indicators ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.malwarebazaar" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.malwarebazaar" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.malwarebazaar.tags" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threatintel.malwarebazaar.tags", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Malware Bazaar Tags [Filebeat Threat Intel]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Malware Bazaar Tags", + "field": "threatintel.malwarebazaar.tags", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "Malware Bazaar Tags [Filebeat Threat Intel]", + "type": "table" + } + }, + "id": "f91e9620-82a8-11eb-ac13-d5ca87cb8fa2", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-11T21:11:00.273Z", + "version": "WzEyMjUsMV0=" + }, + { + "attributes": { + "description": "Malware Bazaar malware file MIME type ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.malwarebazaar" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.malwarebazaar" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.indicator.file.mime_type" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threatintel.indicator.file.mime_type", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Malware Bazaar File MIME Type [Filebeat Threat Intel]", + "uiStateJSON": { + "vis": { + "params": { + "colWidth": [ + { + "colIndex": 0, + "width": 920.6666666666666 + } + ] + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "File MIME Type", + "field": "threatintel.indicator.file.mime_type", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "Malware Bazaar File MIME Type [Filebeat Threat Intel]", + "type": "table" + } + }, + "id": "d22c1090-82a5-11eb-ac13-d5ca87cb8fa2", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-11T21:11:00.273Z", + "version": "WzEyMjYsMV0=" + }, + { + "attributes": { + "description": "Total number of Malware Bazaar indicators ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.malwarebazaar" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.malwarebazaar" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Malware Bazaar Indicators [Filebeat Threat Intel]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Malware Bazaar Indicators" + }, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Malware Bazaar Indicators [Filebeat Threat Intel]", + "type": "metric" + } + }, + "id": "737d4f30-82ac-11eb-ac13-d5ca87cb8fa2", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-11T21:11:00.273Z", + "version": "WzEyMjcsMV0=" + }, + { + "attributes": { + "description": "Malware Bazaar file extensions ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.malwarebazaar" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.malwarebazaar" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.indicator.file.extension" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threatintel.indicator.file.extension", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Malware Bazaar File Extensions [Filebeat Threat Intel]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "threatintel.indicator.file.extension", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": true, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Malware Bazaar File Extensions [Filebeat Threat Intel]", + "type": "pie" + } + }, + "id": "8b2a64a0-82a8-11eb-ac13-d5ca87cb8fa2", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-11T21:11:00.273Z", + "version": "WzEyMjgsMV0=" + }, + { + "attributes": { + "description": "Malware Bazaar provider of indicators ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.malwarebazaar" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.malwarebazaar" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.indicator.provider" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threatintel.indicator.provider", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Malware Bazaar Indicator Provider [Filebeat Threat Intel]", + "uiStateJSON": { + "vis": { + "colors": { + "Count": "#705DA0" + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Indicator Provider", + "field": "threatintel.indicator.provider", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "group", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 200 + }, + "position": "left", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "grid": { + "categoryLines": false + }, + "labels": { + "show": true + }, + "legendPosition": "right", + "seriesParams": [ + { + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "lineWidth": 2, + "mode": "normal", + "show": true, + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": true, + "rotate": 75, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "bottom", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Count" + }, + "type": "value" + } + ] + }, + "title": "Malware Bazaar Indicator Provider [Filebeat Threat Intel]", + "type": "horizontal_bar" + } + }, + "id": "c7d5db50-82a8-11eb-ac13-d5ca87cb8fa2", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-11T21:11:00.273Z", + "version": "WzEyMjksMV0=" + }, + { + "attributes": { + "description": "Origin country of the indicator ingested by the threat intel Filebeat module.", + "layerListJSON": "[{\"sourceDescriptor\":{\"type\":\"EMS_TMS\",\"isAutoSelect\":true},\"id\":\"ea2479ec-b43e-4377-a068-91d93265081d\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":1,\"visible\":true,\"style\":{\"type\":\"TILE\"},\"type\":\"VECTOR_TILE\"},{\"joins\":[{\"leftField\":\"iso2\",\"right\":{\"type\":\"ES_TERM_SOURCE\",\"id\":\"81d209f7-b068-4b0d-90f4-baf9a3eefb55\",\"indexPatternTitle\":\"filebeat-*\",\"term\":\"threatintel.indicator.geo.country_iso_code\",\"metrics\":[{\"type\":\"count\"}],\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"indexPatternRefName\":\"layer_1_join_0_index_pattern\"}}],\"sourceDescriptor\":{\"type\":\"EMS_FILE\",\"id\":\"world_countries\",\"tooltipProperties\":[\"name\"]},\"style\":{\"type\":\"VECTOR\",\"properties\":{\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}},\"fillColor\":{\"type\":\"DYNAMIC\",\"options\":{\"color\":\"Yellow to Red\",\"colorCategory\":\"palette_0\",\"field\":{\"name\":\"__kbnjoin__count__81d209f7-b068-4b0d-90f4-baf9a3eefb55\",\"origin\":\"join\"},\"fieldMetaOptions\":{\"isEnabled\":true,\"sigma\":3},\"type\":\"ORDINAL\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#3d3d3d\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":1}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":6}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"labelText\":{\"type\":\"STATIC\",\"options\":{\"value\":\"\"}},\"labelColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#000000\"}},\"labelSize\":{\"type\":\"STATIC\",\"options\":{\"size\":14}},\"labelBorderColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}}},\"isTimeAware\":true},\"id\":\"66df8b3a-7f7c-4969-929e-2c1ac5b64584\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"type\":\"VECTOR\"}]", + "mapStateJSON": "{\"zoom\":2.08,\"center\":{\"lon\":0,\"lat\":19.94277},\"timeFilters\":{\"from\":\"now-30d\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":true,\"interval\":0},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"initialLocation\":\"LAST_SAVED_LOCATION\",\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"browserLocation\":{\"zoom\":2},\"maxZoom\":24,\"minZoom\":0,\"showSpatialFilters\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"}}", + "title": "Indicator Origin Country [Filebeat Threat Intel]", + "uiStateJSON": { + "isLayerTOCOpen": true, + "openTOCDetails": [] + } + }, + "id": "63365b50-82aa-11eb-ac13-d5ca87cb8fa2", + "migrationVersion": { + "map": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-ref-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + }, + { + "id": "filebeat-*", + "name": "layer_1_join_0_index_pattern", + "type": "index-pattern" + } + ], + "type": "map", + "updated_at": "2021-03-11T21:11:00.273Z", + "version": "WzEyMzAsMV0=" + }, + { + "attributes": { + "description": "Number of times Malware Bazaar indicators ingested by the threat intel Filebeat module have been downloaded.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.malwarebazaar" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.malwarebazaar" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.malwarebazaar.intelligence.downloads" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threatintel.malwarebazaar.intelligence.downloads", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Malware Bazaar Downloads [Filebeat Threat Intel]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": 0, + "direction": "desc" + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Malware Bazaar Downloads", + "field": "threatintel.malwarebazaar.intelligence.downloads", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "Malware Bazaar Downloads [Filebeat Threat Intel]", + "type": "table" + } + }, + "id": "bc4790b0-82aa-11eb-ac13-d5ca87cb8fa2", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-11T21:11:00.273Z", + "version": "WzEyMzEsMV0=" + }, + { + "attributes": { + "description": "Number of times Malware Bazaar indicators ingested by the threat intel Filebeat module have been uploaded.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.malwarebazaar" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.malwarebazaar" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.malwarebazaar.intelligence.uploads" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threatintel.malwarebazaar.intelligence.uploads", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Malware Bazaar Uploads [Filebeat Threat Intel]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": 0, + "direction": "desc" + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Malware Bazaar Uploads", + "field": "threatintel.malwarebazaar.intelligence.uploads", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "Malware Bazaar Uploads [Filebeat Threat Intel]", + "type": "table" + } + }, + "id": "dbd199d0-82aa-11eb-ac13-d5ca87cb8fa2", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-11T21:11:00.273Z", + "version": "WzEyMzIsMV0=" + }, + { + "attributes": { + "description": "First time indicators ingested by the threat intel Filebeat module have been seen by Malware Bazaar", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.malwarebazaar" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.malwarebazaar" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.indicator.first_seen" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threatintel.indicator.first_seen", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Malware Bazaar Indicator First Seen [Filebeat Threat Intel]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": 0, + "direction": "desc" + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Indicator First Seen", + "field": "threatintel.indicator.first_seen", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "Malware Bazaar Indicator First Seen [Filebeat Threat Intel]", + "type": "table" + } + }, + "id": "7cbe5900-82ab-11eb-ac13-d5ca87cb8fa2", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-11T21:11:00.273Z", + "version": "WzEyMzMsMV0=" + }, + { + "attributes": { + "description": "Malware Bazaar malware TLSH hashes ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.malwarebazaar" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.malwarebazaar" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.indicator.file.hash.tlsh" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threatintel.indicator.file.hash.tlsh", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Malware Bazaar TLSH Hashes [Filebeat Threat Intel]", + "uiStateJSON": { + "vis": { + "params": { + "colWidth": [ + { + "colIndex": 0, + "width": 920.6666666666666 + } + ] + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "TLSH Hash", + "field": "threatintel.indicator.file.hash.tlsh", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "Malware Bazaar TLSH Hashes [Filebeat Threat Intel]", + "type": "table" + } + }, + "id": "786546d0-82a5-11eb-ac13-d5ca87cb8fa2", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-11T21:11:00.273Z", + "version": "WzEyMzQsMV0=" + }, + { + "attributes": { + "description": "Malware Bazaar malware ssdeep hashes ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.malwarebazaar" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.malwarebazaar" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.indicator.file.hash.ssdeep" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threatintel.indicator.file.hash.ssdeep", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Malware Bazaar ssdeep Hashes [Filebeat Threat Intel]", + "uiStateJSON": { + "vis": { + "params": { + "colWidth": [ + { + "colIndex": 0, + "width": 920.6666666666666 + } + ] + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "ssdeep Hash", + "field": "threatintel.indicator.file.hash.ssdeep", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "Malware Bazaar ssdeep Hashes [Filebeat Threat Intel]", + "type": "table" + } + }, + "id": "7546ac40-82a6-11eb-ac13-d5ca87cb8fa2", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-11T21:11:00.273Z", + "version": "WzEyMzUsMV0=" + }, + { + "attributes": { + "description": "Malware Bazaar malware MD5 hashes ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.malwarebazaar" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.malwarebazaar" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.indicator.file.hash.md5" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threatintel.indicator.file.hash.md5", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Malware Bazaar MD5 Hashes [Filebeat Threat Intel]", + "uiStateJSON": { + "vis": { + "params": { + "colWidth": [ + { + "colIndex": 0, + "width": 920.6666666666666 + } + ] + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "MD5 Hash", + "field": "threatintel.indicator.file.hash.md5", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "Malware Bazaar MD5 Hashes [Filebeat Threat Intel]", + "type": "table" + } + }, + "id": "21ff17c0-82a6-11eb-ac13-d5ca87cb8fa2", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-11T21:11:00.273Z", + "version": "WzEyMzYsMV0=" + }, + { + "attributes": { + "description": "Malware Bazaar malware SHA1 hashes ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.malwarebazaar" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.malwarebazaar" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.indicator.file.hash.sha1" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threatintel.indicator.file.hash.sha1", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Malware Bazaar SHA1 Hashes [Filebeat Threat Intel]", + "uiStateJSON": { + "vis": { + "params": { + "colWidth": [ + { + "colIndex": 0, + "width": 920.6666666666666 + } + ] + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "SHA1 Hash", + "field": "threatintel.indicator.file.hash.sha1", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "Malware Bazaar SHA1 Hashes [Filebeat Threat Intel]", + "type": "table" + } + }, + "id": "142fb6c0-82a8-11eb-ac13-d5ca87cb8fa2", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-11T21:11:00.273Z", + "version": "WzEyMzcsMV0=" + }, + { + "attributes": { + "description": "Malware Bazaar malware SHA256 hashes ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.malwarebazaar" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.malwarebazaar" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.indicator.file.hash.sha256" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threatintel.indicator.file.hash.sha256", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Malware Bazaar SHA256 Hashes [Filebeat Threat Intel]", + "uiStateJSON": { + "vis": { + "params": { + "colWidth": [ + { + "colIndex": 0, + "width": 920.6666666666666 + } + ] + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "SHA256 Hash", + "field": "threatintel.indicator.file.hash.sha256", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "Malware Bazaar SHA256 Hashes [Filebeat Threat Intel]", + "type": "table" + } + }, + "id": "5b4877b0-82a6-11eb-ac13-d5ca87cb8fa2", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-11T21:11:00.273Z", + "version": "WzEyMzgsMV0=" + }, + { + "attributes": { + "description": "Malware Bazaar malware Import Table hashes ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.malwarebazaar" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.malwarebazaar" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.indicator.file.pe.imphash" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threatintel.indicator.file.pe.imphash", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Malware Bazaar Import Table Hashes [Filebeat Threat Intel]", + "uiStateJSON": { + "vis": { + "params": { + "colWidth": [ + { + "colIndex": 0, + "width": 920.6666666666666 + } + ] + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Imphash Hash", + "field": "threatintel.indicator.file.pe.imphash", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "Malware Bazaar Import Table Hashes [Filebeat Threat Intel]", + "type": "table" + } + }, + "id": "1d8002d0-82a7-11eb-ac13-d5ca87cb8fa2", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-11T21:11:00.273Z", + "version": "WzEyMzksMV0=" + }, + { + "attributes": { + "color": "#a548ae", + "description": "Tag for indicators ingested by the Threat Intel Filebeat module.", + "name": "threat intel" + }, + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "namespaces": [ + "default" + ], + "references": [], + "type": "tag", + "updated_at": "2021-03-11T19:22:47.095Z", + "version": "WzQwMiwxXQ==" + }, + { + "attributes": { + "columns": [ + "_source" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.module", + "negate": false, + "params": { + "query": "threatintel" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.module": "threatintel" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "event.category", + "negate": false, + "params": { + "query": "threat" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.category": "threat" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "key": "event.kind", + "negate": false, + "params": { + "query": "enrichment" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "enrichment" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index", + "key": "event.type", + "negate": false, + "params": { + "query": "indicator" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.type": "indicator" + } + } + } + ], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "sort": [], + "title": "All Logs [Filebeat Threat Intel] ECS", + "version": 1 + }, + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "search": "7.9.3" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index", + "type": "index-pattern" + } + ], + "type": "search", + "updated_at": "2021-03-11T19:22:47.095Z", + "version": "WzQwMywxXQ==" + } + ], + "version": "7.11.2" +} \ No newline at end of file diff --git a/x-pack/filebeat/module/threatintel/fields.go b/x-pack/filebeat/module/threatintel/fields.go index 7dce52402df1..7fabbdd1912f 100644 --- a/x-pack/filebeat/module/threatintel/fields.go +++ b/x-pack/filebeat/module/threatintel/fields.go @@ -19,5 +19,5 @@ func init() { // AssetThreatintel returns asset data. // This is the base64 encoded gzipped contents of module/threatintel. func AssetThreatintel() string { - return "eJzsXOtz2ziS/z5/RZfvQ+wtSX4kzk5clbvy2M7GdY6T9WNma89XCkQ2RaxBgAFAydqr+9+v8CDFl2jZoubuttZfZiKS6B8ajX4DQ3jExQnoWCLRlGtkPwFoqhnWf5TIkCg8gQlq8hNAiCqQNNVU8BP4158AAO7sB2C/YHSKPED4RBlOzK9fRJgxHP0EEFFkoTqxnwyBk6RBy/yFGJGM6bF9+wQiwhT6R3qR4glMpcjS4uUGGPP3yVKCSIoEdIxlKktgSQHM/JXBlQFSHtKAaCFHEZVKjxUiL17KIT3iYi5kWPp9BTDHLYSQaATCQ9A0QZjHyKvcUyKTAYIlCRJTITWGoOg01pRPQcdUlZB1gGZkFWYDoXfAhtxGePNPVAMvE3y6Ht7rLJmgBBFZsKpGHeZEgZgolDMMIRA8zAIP0koxCTSdUb3oQmkQbSgEixQNwiUsogzjJCrkhneTBZwtzDS+WqhkwhAoh9u7y7/A0ehgVBnt4inFwHw1IyxDVXkG8AcgmRZcJCJTQ7VQGpPmG1LTiAS68SCkEgMt5KL5RCSE8qHhTeMZJoSyIQlD2XgUUdZ8n6azd+2v03T2vv1JQoIVDzKNT41fUykCVE3eKBHpOZFNTJlkzd8UyiEJApHxJqvmlIdiroYSp1RpuRg+YpNrT8Pjgw/DAA2/zcpjh5iV5GczaTu3jyZ2L6AdwMiekXTB8y3gZG6pLTt3aUA4RzlWmuhNduqZ4aOBcvrr/sX5DcyQh0IalESDygKzYFHG2AJC1E7CE8JoQEWmrCCBkHB/c9WFNZViRkOUm3HwMkRuVsyz0BCxCibGqh7MqXUhCgSPaGhe7xXTcliQxGo0ohSd8uXC5uAgU+ax1SWlr1RAGKqXaZZroeE2xcDACAdwLTgO4ErMB/AFQ5olA/hMp3Hjs4Ph4UHjx9MwoZIwqhdwa6DA7uHw/V7jtfPry/z58fDDcfOF3y6+5S9cJqlQihrlOYQzlJpQvtexNM4n2IqoKMelwPsdziqFRBOgCgKRmBUxDkuX5JjXFert4vNElt5Ti6HvAknTBr7KT+tBI7k9rlhIwuHyGxitj0rBLpUSDW5NZ3YOzlhRwfc6uWgNV29MXIHU28fXgjQu1AaadQ18hgJw5yu9EqQ18yO/HNtmKHdexaarnxD5SPl0pFlTTl/mwkkSmf1yZVxW+CaFFoFgoGIizV72dLr1KRCJJ00FFlPd9Ef+JKtuvPv11Kxf49cbDDtZoIMYw8b0y5EVtMREy7GIFgkNKmRXcbCThw1t5AYurbx1BTxgIMBEQBggn1EpeIJcA/IwFdS4ERI46rmQj4Az5HrUgtvOaAuw7bi5Q7DlOdSCj76mkHuFW5tBUw5JU2esL4JOc7UwoqYka1y45/RHhrneI8xMxexHLdzMi0gJXKQ0suFv4+dCcZ7eXtc9kMySYAugSw4jCeKCMYJbWpdco+SoqxoCn0iSMjyBw+PD9x9aJi7klHD6d2LmM2pEX6uFgU65kDgmEzEzox8cvas8TjKm6bjJ75Lg4VM96HHUWh5wIRNVzd60LMbX0lQskRWs+JMQU4ZwdXXWIU152LWBTBnXZ6S0rCUgNuBq5w48E1ybzWPTKXNJrdPuyFuKNdsB8E2kGbPi6gwikZIsWj+3jqWX6ZwxI/gkJBjXvxGB+6/yNx112L25+NP49q8DMP+9+Mu30+vz8e1f9wbOd1WxyFgIEywhobru6wuOfnRPHn9kxpFU1ud0ZM1nlsaX+6u7S0vRUsgHZQwmdcQzIqlNijDkUx27wXmWoPQu7MAEkLFhlBn5/LevN+c2gWX+9Wfzr8o0aqNPENKC1xaeYWSIAU0IW+ZpnODu4mgK33cOd77vrZDfN/+xc3byIDV5kBiOtU4fJpQ/JAuSpiN8wp3/fNMijCmpMbMfIfyUMWbHHgDlActCswIxneHADG1ZZH2T9pl8/verLw+3Xz/d/XZ6c/HwhQZSKBHph99c7gOu7x7OMimR619RKir4w2VCpi4dDBdPGGS1bIb5+2qhqYc55WZqhiUP5zjJptOKgs8Z04TXD2euS0G9pWE3lUa+YlU7INYzP/0AvMm3p1moKhea6nCKYgNNOEUxCqhejPszMJWpnJkov0PjfxFcSyRsFTSRcS0XY6rEOBDhVhA6EnB5+xUMiRVAz06fgbgtBnp4HTw8I5yEZAU86/fUt6KXEhRj68ytpn4l+JTqLHQ1AUa0/ccq7fdfsMME3zmB4R/fjt4fvvv57cEAdhjROyfw7nh0fHD84fBn+O82JWigGqsk+DbX+sZSeH6ph38+68a4pcX2+DrW+s8ZTjDoUAcRZThKcUSTNCYqXiP07QRYgffmFMyYRUI0SYXUCigHAt8ubKJ2BKccPG0YDk2Y4F6DGhowTwPCjQnOlHPMI8qnKFNp4osJ5URaj3qGHEikUYLEQCQpZc4cCwlCxyjtUg4ZzrCax9eScBUJmdjXFcRkhiCCwJitcADzmAYxzK1vE8SETxESIdF8FlLzBWFuti6Cr67HFRLJ3ftEQ6x1qk729+fz+SiiEnGBo0Ak+xMmpvsuxzE0jgSRQbx/dHD4bv/gcF9LEjxSPh0mhM2JxKHj09DQNF5UrBM2Km+VQgYOgvc/H7wN3uGHo6ND8z9hQI4/vH9LSPj2fRhGz0jHBtaisYbtA7QNUQovmKo7j6t3zzOetStamlm9UbmgmfEHQCMgM0KZ8R1HrTiUChHTrSBxQ1t2rYMkCY+3AiMJj9fGoGJyuB1exOTwJSiOjt9vC8fR8fuXIDk+PNoWkuPDo2eQvCILtEmImsOr0yvYQf/eBqM7B7OKyBsFWmjC6qMWKZ/1reu69CpDNvVitQb84nRCvdDwasTnrpbgDWwm2TK63THWBRlRmgajQOy0CQs+aeSq3dvbjsQgs70VmlCeZ0gZLnEsi0tC0inlNqj+kaHSLegjSaYJ1tzR7YD/JqTzIQpGexfD/Ov7v3wvsV2LtJXXUcZYH0t+Gdmh4P7mypYJvBkjXBuXaCEyafwjCIjCgYG3KCVklBYS64qIcvieSTYyo343fg5aL8kmQdyCUWVdKa60dA0BQoLPdJivDQ9sTreePKqVBMupSre4ffDjnicitGXmpczY9VGg0LYjLQG2QDJ/10KjS2VTXiRjE8GpFpLy6cAJZN4adH9zBQlZ2ARXsRSWbxJJvRJufF3brgBMTJUbyQxAFYhII4e/Za4zqmjwcTU4ouM6yrvKgiToV7z4thibKKC60s40AOMIM9S2MYKL1vpBSpRqsH5L28mTyveT3+PtqNbOdj1DUsc1cqVNu++c7daNW6u4rjRlLnQ48cnLl+mWlcjevXvbhulHhnIbmaQ2pW1pecELKw1D7olP1rbNoDaa4fSPj94mtXA8p/j9374bEcengGUhhkujUCY4MpqQWIEvDAoX5lu7yxqNW9Q+Lk3GDmDfNM+IpTrJdPHWoETSzR6fqNL1HW6zwLYIneolNjsN9/53P0YteA1pFKFErinRCBPU82YZ19bf5sIqc9UmBy4xjxLDcX9OhcEe02mMVjPlBKxSdUQGdpppisUGVtnEPaov5ych80B0UCo62AF9I0QkJOxEQoz8eyYU3jFLslP+oVUbumysZ2yIGmVCOYbGOAVUIVv41QFGlQZGH9H1O2UTRgNQWRTRekOgfXPXROgn+/vuRffeSMjp3gju5MKWYQSQNJXiiSZE+6adyQIUTVK2AE0e6yrALabtgzUrysgEmXI1DC40WJMzR8YsO+6uztVSOQVilD22qiYVxLiVxFJdJG4todX602Y02iHmkvE7aauCntXb3mdzdnoBPzLCnKvg37FNTq7c0WhiI4zlEzavWX2EqTOzsVDafZzx0LuBjb04Arjk1phLTQlj9abPOpqBzX5FvtcS8+cuHws2YZUDsm6HpR8QzkXd86rshkGJJ4WmbExugkzM23dox56ubv4yy134QZQeJQs/jJNjt7OJ0o0t7dRxvjQxUa72nNpi3sxsFxEtiZWkT2WTo5HKJocVFTJo2X9LqE6je9fYs6U00s7AqQ4uQEtCmdnzKUoqwtagW6RjC/FlWnhTWcco8l1OWqReQPLuMry7Ot8bAGFKwCMXc244tWRv3VW3Km5g1qZQU0ZscxkpbZdRU6fXqdcGj5bvm4WxAvAPptKtOl+lzZfLtK5ezxTKLZUMGuGTJ7XSFW8mP56ODz5skP1QKClh45V9OpvO0HfyODJ5Pw5VKls2PJfa7IFkOhaSat8GYcJco/54sKgrEKuaCxE1PiNLY+J7CwYm5lpG2i4YyLsERKYhEEwYxctDyNIUpfHpagSCmEgSaJRqRTXn+PjTL798OPvj+cUvnw4+/Hzw4fzw6OzstK3UaCe8Dfbm1XBDwGybFbw8yzmB1KYTzqnSlE8zqmIM3SC759d7xuSdiSQR3P92dr03gBBT5LYBQfDWmH1Ze/t4fzuArx8vvD265MEAvt5/tNZnqXMGcHZdvHP7+fTItp/DqVKZJNWGe/N3a6Jm2V7DVdnkbxhsI+lU7jMoc9VTBBMr/O6svb37eGbcECE5JQO4+nhLOHwyTKMqECXWDwzvR5bRKiYSw9GUiQlhxTJwbEviEaaNAjLq0VZJt9FfdWUMgPMdLCNLNL33s3t7er03cnxyPU4zIhdGXbSdyHF/hbDbPV1eMNsyObF73rCfLQoHY9mkjmoA59e30JwzwK4ZcE5ZGBAZKmPFeVhtcq7XF5c19T+Ucr5vGkqcTDKFvoD4rArvsBv5QUoh4dQMefYZvrhR80Ofl6Wjm9BpDyLKcNxX8+qnvCYB08zwyar8+5urmGQllrVtazrlRGeyFxQ5LyKSUEYXnYQzyQy4cSjmnAnSSxfylW/igN37m6s9l5qEhcisX5UTAgKBSBdO41B3bqoT6YzKTNlCzEiiyti6OrAT6umv/gyXgStd8+qaIIwRbU//R0yQji6VTgwmjHEDr4uDUf7Yy6pR/pj3Zv5aDO+PzTYdMruX1ylE/U77mPYiuiauuTwvFVrW2jwSbS4t6GX35uvg1Yaxu/LZPWzPPGbrWq9nWRC4Zklwo+bsuL+5GsG3/ORa6agICM4oxwGIKDL/49xMbgO/TuSu26Qv1P58TiDsCRzh/Awr0VSBNzvVc5ktkCaMBI8mZlMjlclJL0Wi2/ubX66WI3u2ruCleQNDy0Iu9Nj9c13EKUmcOu8JuB8Pztvwd4Hyp+3XDQGeXdu7OdUaJcSEh6wULjoqrnwWu8Pq7pR/fdFhV0ggXPBFIjK11wmeEamxTZ9MhGBI+PrQL13YiqpU2MQKLAN6gshLyEWR5LN5n/x47K6Wma2g2eMLe537iqx9UqDbNLnsheE2mSogSomAVrvPf2QoqTsBnc+paSu4SAijfZkKN9r/DRPRcn3EdjpDqme7O4imJvCXvZVi/HDrTnlGGA3HkRRJC4CwHsZ0Uv8tRl4laKvK7vaRSGTcdgLYY8pcmR3izi/S1hxpXqXfFiqbh2shslQpE2S92Wdfv5HIyqfECkRtst/ybCMILg1VF4lBOd1aVBNMQERVUWewqnmepxGKcw1ty9Z+18QG+qz0eC15tpcP9cIzM1BewXYXuzxDOnDnsPogfvGkJbEH4syWKV6dYU5kpSht86jnXWUXmUEGNkQsi9AEYSeXG5uDGNgg+zNR8fD28+nR8fvWFLawqZaxP+1sHPTe9p69n6Lw+D2lZnyUUNU8yf06g/fl8vbb/5a1O9Va0kmmjc1r76WaBuN+SFWOXZ6JJMk41YuS4Vl59ljI6TYwrEHZhRy++tYK4aU9p3aVXTnLNp4cmy156Bu84DCvkSVCaQgk1TQgrA0Z5ZHoRQDC4nxBrj/M0P6cQl1vrGSULXypuB+vurDBrq3O2N9i/NaCVtaf63d/XxOLhgaoHNxtU5QvcziKe85E5M7U1inb+QdGbtpnT/ItPG5eEPUaGf0s5pAQvlgO7DtBuW+Ysids3IHeZ1lk70LTJEl74VMx2quZFVLlJtWTx3FeGs85QqUdYxR762aRIhWKsLG1eGMmgrYM34u3zS1qe4mdu11pmhmHWXBnXqzNtTl+Q83dBUDVs8tnXu4pUvaVJ595sqAqC0eVp9bVROq0wLg/qTrVMI+JdhcMtgpTm2YrHcuQxv+wdr8nE1WNP+3IGDpYyrDGVdXUs6YrpIpMmFEK0opku8C/Zh1LI1q33xEK8wsmGku78mxAqMa/h+oGqiGx1+U4qitcjFF/SETNzWizoh3MMWD6zC2I+oUXrwG0rZWqgHsFLnsrTI8aqkUpEWbTcsZdIyAxEbp5I1nVZe5Rlla7zZT7Y6OteqvIN1avd6vh7FPMViD1XZCbY+1TAldgtYLZB9a+pXIFXpuaygVULXiQ97OvIaeFe9ejsC63dTH6S/f0ElafeYjqPVPrQKs0ovrUBE1n7wbuDCnhoe21655CQDRO69fYblK48+NtMJWda38E6dRfOdyaYCmtghjTsC278lpRXmIu3eWTaWEizoAwtsgFOT/7cHl+2w1xW6apm7vdmOwrPbqE/vIzu6z9IHwmFHp50FgFVBS+CjoYDuqXTVOucYrS91G2HkIpSeKWYsmKvl9OwOhWojWxt8+9WHkFInnB6dFnLuyyQylISIjFlXEFTqoVsqgbzbYCFTteSR7zayjd7zWZLO56XeLqFlBk2Fedtr5dSmXZRMzKp8DWX+LfJ8IqkCKvhFk9GFifRd+G+f/q/ef2rUWXO2sthB3s3cgbKJjcFI6iAF6LJJ/fay+5KOxlZbiCRq3RtijC2QMLO+6gfkwOfUllqGSw06xgCF0+yrBJAePr3V/+H1Tr/1kihX+WSP9RS6T/EwAA//9cfSez" + return "eJzsfW1z2ziS//v5FF3+v4i9JSm2E2cTV+V/5bGdiescJ+uHmam9XCkQ2RSxBgEGACVrru67X+GBFJ9EyxaVm9tavZmxSKF/aHQ3+gnIEO5xcQw6lkg05RrZTwCaaob1LyUyJAqPYYKa/AQQogokTTUV/Bj+/08AALf2B2B/wegUeYDwgTKcmG8/iTBjOPoJIKLIQnVsfzIETpIGLfMJMSIZ02P79jFEhCn0j/QixWOYSpGlxcsNMObzwVKCSIoEdIxlKktgSQHMfMrgygApD2lAtJCjiEqlxwqRFy/lkO5xMRcyLH2/ApjjFkJINALhIWiaIMxj5FXuKZHJAMGSBImpkBpDUHQaa8qnoGOqSsg6QDOyCrOB0DtgQ24jvPlPVAMvE3y6Ht6rLJmgBBFZsKpGHeZEgZgolDMMIRA8zAIP0koxCTSdUb3oQmkQbSgEixQNwiUsogzjJCrkhneTBZwuzDQ+W6hkwhAoh5vbi9/hcLQ/qox2/pBiYH41IyxDVXkG8BcgmRZcJCJTQ7VQGpPmG1LTiAS68SCkEgMt5KL5RCSE8qHhTeMZJoSyIQlD2XgUUdZ8n6az1+2v03T2pv1JQoIVDzKND41vUykCVE3eKBHpOZFNTJlkze8UyiEJApHxJqvmlIdiroYSp1RpuRjeY5NrD8Oj/XfDAA2/zcpjh5iV5GczaTuzjyZWF9AOYGTPSLrguQo4mVtay04tDQjnKMdKE72Jpp4aPhooJ7++PD+7hhnyUEiDkmhQWWAWLMoYW0CI2kl4QhgNqMiUFSQQEu6uL7uwplLMaIhyMw5ehMjNinkWGiLWwMRYtYM5tS5EgeARDc3rvWJaDguSWItGlKJTvlzYHBxkyjy2tqT0KxUQhuppluVKaLhJMTAwwgFcCY4DuBTzAXzCkGbJAD7Sadz42f7wYL/x5UmYUEkY1Qu4MVBg92D4Zq/x2tnVRf78aPjuqPnCb+df8hcuklQoRY3xHMIpSk0o3+tYGucTbEVUlONS4P0OtyuFRBOgCgKRmBUxDkuX5JjXFert4vNElt5Ty0bfBZKmDXyVr9aDRvL9uLJDEg4XX8BYfVQKdqmUaHBrOrNzcJsVFXyvk4t24+qNiSuQ+v3xuSCNC7WBZV0Dn6EA3PlKzwRpt/mRX45tM5Q7r2LT1U+IvKd8OtKsKadPc+EkiYy+XBqXFb5IoUUgGKiYSKPLnk63PQUi8bhpwGKqm/7IL7LqxrtvT8z6Nb69xrCTBTqIMWxMvxxZQUtMtByLaJHQoEJ2FQc7ediwRm7g0spbV8ADBgJMBIQB8hmVgifINSAPU0GNGyGBo54LeQ84Q65HLbjtjLYA246bOwRbnkMt+OhrCrlXuLUZNOWQNG3G+iLoLFcLI2pGssaFO06/Z5jbPcLMVIw+auFmXkRK4CKlkQ1/G18XhvPk5qrugWSWBFsAXXIYSRAXjBHc0rrgGiVHXbUQ+ECSlOExHBwdvHnXMnEhp4TTP4iZz6gRfa0WBjrlQuKYTMTMjL5/+LryOMmYpuMmv0uChw/1oMdRa3nAhUxUNXvTshifS1OxRFaw4hchpgzh8vK0Q5rysGsDmTKuz0hpWUtAbMDVTg08FVwb5bHplLmk1ml35C3F2t4B8EWkGbPi6jZEIiVZtP7cOpZepnPGjOCDkGBc/0YE7n+Vv+mow+71+S/jm78PwPz3/PcvJ1dn45u/7w2c76pikbEQJlhCQnXd1xcc/eiePH7PjCOprM/pyJqfWRqf7i5vLyxFSyEflDGY1BHPiKQ2KcKQT3XsBudZgtK7sAMTQMaGUWbks98+X5/ZBJb562/mr8o0aqNPENKC1xaeYWSIAU0IW+ZpnODu4mgK33YOdr7trZDfF/+xc3r8VWryVWI41jr9OqH8a7IgaTrCB9z5zxctwpiSGjP7EcIPGWN27AFQHrAsNCsQ0xkOzNCWRdY3aZ/Jx3+//PT15vOH299Ors+/fqKBFEpE+utvLvcBV7dfTzMpketfUSoq+NeLhExdOhjOHzDIatkM8/lsoamvc8rN1AxLvp7hJJtOKwY+Z0wTXj+cuSoF9ZaGVSqNfMWqdkCsZ376AXidq6dZqCoXmuZwimIDSxhQvRj3t7lUpnFqIvwOa/9JcC2RsDZYIuNaLsZUiXEgwq2gcyTg4uYzGBIrQJ6edMDbFuM8tA7enRJOQtICzfo5ddXzUoFibJ231ZQvBZ9SnYWuBsCItn+ssnb/BTtM8J1jGP711ejNweu3r/YHsMOI3jmG10ejo/2jdwdv4b/bjJ7ZgQTf5vpeWwqPL+/wb6er8W1pgT22jvX9W4YTDDrUPqIMRymOaJLGRMVrhLidACvwXpyAGbNIfCapkFoB5UDgy7lNyI7ghIOnDcOhCQfca1BDA+ZpQLjZajPlHPCI8inKVJo4YkI5kdZzniEHEmmUIDEQSUqZ23aFBKFjlHYZhwxnWM3Xa0m4ioRM7OsKYjJDEEFgtqdwAPOYBjHMrQ8TxIRPERIh0fwspOYXhLnZuki9uh6XSCR37xMNsdapOn75cj6fjyIqERc4CkTycsLE9KXLZQyNw0BkEL883D94/XL/4KWWJLinfDpMCJsTiUPHp6GhabylWCdsVFaRQgb2gzdv918Fr/Hd4eGB+Z8wIEfv3rwiJHz1JgyjR6Rjg12hsYbtA7QNUQojmKo7iau15xEP2hUnzaxeqFzQzPgDoBGQGaHM+IijVhxKhYjpVpC4oS271kGShEdbgZGER2tjUDE52A4vYnLwFBSHR2+2hePw6M1TkLx6+3pbSF69ff0UJEcHh9tCcnRw+AiSZ+SdNgmKc3h2+DYciv7RhqM77bOKygsFWmjC7Kht1J6w069LsL6956TwQSNX7T7aJvSKcduIJjTBcV8pxRLRTxefzmtL2NyOqiX2J2dr6nWcZ+M+c6Ua79dkki2TBztmU0dGlKbBKBA7fSzc5uqBzLauaEJ5noBmuMSxrN0JSaeU25zF9wyVbkEfSTJNsOb9bwf8FyGd61Yw2nt25q9v/+9bie1apK28jjLG+ljyi8gOBXfXl7YK470HwrXxRBcik8YthYAoHBh4i1K+S2khsW51KYdvmWQjM+o3416idU5tjsktGFXWg+VKS9dvIST4RJL5teGBTZnXBq5XXMuZYLe4ffDjjicitFX8pczY9VGg0HZ7LQG2QDKfK6HRVQooL3LdieBUC0n5dOAEMu+8uru+hIQsbP6wWArLN4mk3mhgQgzbDQJMTJUbyQxAFYhII4d/ZK7xrOifciVOouM6ytvKgiToV7z4bTE2UUB1pVtsACb+YKht3wkXreWZlCjVYP2W1MmTyvXJ63g7qrWTiY+Q1HGNXElpX7oYp1VxawXtldu2i9iOfW74abZlJbLXr1+1YfqeodxGoq7NaFtaXvDCSj+We+Jz4W0zqI1mOP39vd+TWjieU/z2b9+MiONDwLIQw+WmUCY4MpaQWIEvNhQuzG+tljX64qh9XJqMHcC+aZ4RS3WS6eKtQYmkmz0+UKXrGm6T7LbGn+olNjsN9/43P0YtZxDSKEKJXFOiESao580quS1vzoU15qpNDlzdAyWG4/6cCoM9ptMYrWXKCVij6ogM7DTTFAsFVtnEPaov5wch8/h/UKrp2AF9n0kkJOxEQoz8e6NAJDtmSXbKX7RaQ5fs9owNUaNMKMfQbE4BVcgWfnWAUaWB0Xt07WTZhNEAVBZFtN5vad/cjbVOj1++dC+690ZCTvdGcCsXtsolgKSpFA80Idr3RE0WoGiSsgVocl83AW4xbZuxWVFGJsiUKxFxocFuOXNkzLLj9vJMLY1TIEbZfatpUkGMW8nn1UXixhJabT9tIqkdYi4ZP8haFfSs3fY+m9unF/A9I8y5Cv4d20PmqkmNHkHCWD5h85q1R5i6bTYWSrsfZzz0bmBDF0cAF9xu5lJTwli9p7aOZmCTjpFvZcX8uUt/g80T5oCs22HpB4RzUfe8KtowKPGksJSNyU2QiXm7hnbodFX5yyx34QdRepQs/DBOjp1mE6UbKu3Mcb40MVGutJ/aWunMqIuIlsRK0qeyyeFIZZODigkZtOjfEqqz6N419mwpjbQzcKaDC9CSUGZ0PkVJRdiaYRDp2EJ8mhXeVNYxinwTmRapF5C8eQ9vL8/2BkCYEnDPxZwbTi3ZW3fVrYkbmLUpzJQR21xGSuoyatr0OvXa4NHyfbMwVgD+yUy6NeerrPlymda165lCuaVKTSN88qRWuuLN5MfD0f67DbIfCiUlbLyyDWrTGfpGKUcmb3eiSmXLfvLSKQYgmY6FpNp3mZgw15g/HizqBsSa5kJEjc/I0pj41o2BibmWkbYLBvImDJFpCAQTxvDyELI0RWl8uhqBICaSBBqlWlFEOzr68PPP707/enb+84f9d2/3350dHJ6enrRVdO2Et8HevNnAEDBqs4KXpzknkNp0whlVmvJpRlWMoRtk9+xqz2x5pyJJBPffnV7tDSDEFLnt7xC8NWZfljvf390M4PP7c78fXfBgAJ/v3tvdZ2lzBnB6Vbxz8/Hk0Hb3w4lSmSTV8wzmc2OiZtleKlfZ5B8YbCPpVG7jKHPVUwQTK/xw1t7cvj81boiQnJIBXL6/IRw+GKZRFYgS6weG9yPLaBUTieFoysSEsGIZOLYl8QjTxgAZ82iL09toX7s0G4DzHSwjSzS997N7c3K1N3J8ci1kMyIXxly0HXhyn0LYrU6XF8x2pE6szhv2s0XhYCzPAKAawNnVDTTnDLBrBpxTFgZEhsrs4jys9pDXy7rLFoa/lHK+LzqMuKJTTnQmNzwz8snVgCEiCWULy2SnZLvlqkxLXzuZZAp9BfnRzaQDQH5iVkg4MUOefiww+dO9F6UzutC5M0WU9VdS+JCXgmCamRWzm8/d9WVMstLitRmYlpV5NorK+tBFJ+FMMgNuHIo5Z4L00m5+6bt3YPfu+nLPJUlhITLr4eWEgEAg0oWzfdQdkOtEOqMyU7b8NZKoMrauNe6EevKrP6xn4ErXpbwmCLOdtxciIiZIR3tSJwYTULmB18XBKL/vZdUov8+bcH8thvfno1fo8jolsR+kx7QX0TUR1sVZqeSzlvJItFm9oBftzdfBmw3jAchHddgebs3W3UcfZUHgumLBjZqz4+76cgRf8iOKpTNBIDijHAcgosj8j3N4uQ1BO5G7dqO+UPuDWIGwR62E83isRFMFftupHsBtgTRhJLg30aMaqUxOeilX3dxd/3y5HNmzdQUvzRsYWhZyocfuz3URpyRx5rwn4H48OGvD3wXKX6uwbjDy6NrezqnWKCEmPGSlwNVRcYW82N1K4K5zqC867AoJhAu+SESm9jrBMyI1ttmTiRAMCV8f+oXzvVCVSqxYgWVATxB5Cbko0o02A5Wfg97VMrO1PHtOZa9Tr8jaR0K6tyaXRzHcJlMFRCkR0Ooxg+8ZSuqOuudzau4VXCSE0b62Cjfan2OLaLknZDvtONVD/B1EU2IUpbeikB9u3SnPCKPhOJIiaQEQ1gOqTuq/xcirBG19210zE4mM254Eex6dK6Mh7qAqbc3W5v0C20JlM4ItRJYmZYKst/3ZV5IksvJxwAJRm+y3PNsIgkuI1UViUE78FnUNExBRVVQ8rGme5wmN4gBL27K1XyqygT0rPV5Lnu0tU73wzAyU19LdDT6PkA7cgbs+iJ8/aEnsyUejMsWrM8yJrBSlbZ7pva1okRlkYEPEsghNEHZyubHZkIENsj8SFQ9vPp4cHr1pTaYLm/QZ+2PtxkHvTffsRSSFx+8pNeMjvx9OyB+ENK9zed7OlwdHP9tB/4y5jirC9obYH5Hp+FO4Qi4r1gaqfElJC7inHVHIMyr1jOKKlqVHW66XN5IVI7tuHM/t5tqWQtF0O0j8uGvjMJaiFUSTte3MXQ71C3KUtesj4JGm9kdnthTdvF9x6siACeFAu9s66sXSHNLF7bbRXNyuBFJy6l0s1SLAT2tvL93t4D0Gn082jpXKJgnVLiL2BFmrogcixLGxLn1o+6kI0Zoqs1NTXhzMsmZ4ibDF7FPVvKnlmdb+4ubL/1aQc6K1pJNMm1CnvZl3Goz7IVW5VuFUJEnGqV6U4o2Vd4sIOd0GhjUou0yTb/9ohfDUAx52lV0/hbVxR8YTO/AdxnCQN2kkQmkIJNU0IKx9Z4lELwIQFucKc7exrAY1d3Elo2znhYr7SaYUoZfr6zbWoRi/taMi6y/iv7uriUXD8atczNG2qz8tzizuMRWRuzOjTtnOPzBy0z57kqvwuHkB5HNk9KOYQ0L4YjmwP4rAfceuPVnrLux4lEX2rlNNkrQXPhWjPZtZIVVuUj0Fmmel8ZyTXNIYY9hblUWKVCjCxjbQGTMRtBV2nqw2N6jtJbXu9sRpJjEEwd32YkMtW2Q21NxdP1Q9unzm5Z4SpL71wRccLKjKwlHlqXWdYnBWYNyfVJ1omMdEuwuEW4WpzbKVDkFKE3bafb+nLaqadrQjY+hgKcMa19ahHt26QqrIhBmjIK1Itgv8c9axNKLN9jhCYX6BVGNpVx5OC9X4R5huoBoSex2eo7rCxRj1h0TU3Iy2XbSDOQZMnyllUb/Q6jmAtrVSFXDPwGVvfevRQrUYJcJsNca4awQkJkI3bxytusw9ytJqt5lyf11Eq90qykzV61trOPsUsxVIfRv+5lj7lMAVWK1g9oG1b6lcgddWJHIBVQse5Aeq1pDTwr3rUViXal2M/lSdXsLqM/2sK/dIrgOtchLCZ6RpOns9cHdHEB7aZu/uKQRE47R+Tf0m/Rp+vA2msnPlz8Ce+H9SoDWvXloFMaZhW+7nuaK8xFy6qy/TwkScAWFskQtyfvju4uymG+K2tqZu7nZjsq/06BL6y03tsvaD8JFQ6OlBYxVQ0e9Q0MFwUP/HJCjXOEXpG/lbT0GWJHFLsWTF3i8nYGwr0ZrY22WfbLwCkTzh+oJHcpR2KAUJCbG4ErbASbVCFnWj2VagYscryWN+zbT7viaTxV3uS1zdAooM+2rPqatLqRsnEbPyMeT1l/jHRFgFUuSVMKuHDdYXT7ex/X/2/nO7atGlZq2FsIO9G3kDBZObwlEU+2qR5OO69pSLQJ/WfVHQqJ30KHov7Im5HXdTTEwOfCV9qGSw06xgCF0+S7dJAePz7e//B5q0/tUZA//qjPln7Yz5nwAAAP//3oI1oA==" } diff --git a/x-pack/filebeat/module/threatintel/malwarebazaar/_meta/fields.yml b/x-pack/filebeat/module/threatintel/malwarebazaar/_meta/fields.yml new file mode 100644 index 000000000000..16a50f3a0ff4 --- /dev/null +++ b/x-pack/filebeat/module/threatintel/malwarebazaar/_meta/fields.yml @@ -0,0 +1,47 @@ +- name: malwarebazaar + type: group + description: > + Fields for Malware Bazaar Threat Intel + fields: + - name: file_type + type: keyword + description: > + File type guessed by Malware Bazaar. + - name: signature + type: keyword + description: > + Malware familiy. + - name: tags + type: keyword + description: > + A list of tags associated with the queried malware sample. + - name: intelligence + type: group + fields: + - name: downloads + type: long + description: > + Number of downloads from MalwareBazaar. + - name: uploads + type: long + description: > + Number of uploads from MalwareBazaar. + - name: mail + type: group + fields: + - name: Generic + type: keyword + description: > + Malware seen in generic spam traffic. + - name: IT + type: keyword + description: > + Malware seen in IT spam traffic. + - name: anonymous + type: long + description: > + Identifies if the sample was submitted anonymously. + - name: code_sign + type: keyword + description: > + Code signing information for the sample. diff --git a/x-pack/filebeat/module/threatintel/malwarebazaar/config/config.yml b/x-pack/filebeat/module/threatintel/malwarebazaar/config/config.yml new file mode 100644 index 000000000000..296bae5457ad --- /dev/null +++ b/x-pack/filebeat/module/threatintel/malwarebazaar/config/config.yml @@ -0,0 +1,53 @@ +{{ if eq .input "httpjson" }} + +type: httpjson +config_version: "2" +interval: {{ .interval }} + +request.method: POST +{{ if .ssl }} + +request.ssl: {{ .ssl | tojson }} +{{ end }} +request.url: {{ .url }} +#request.encode_as: application/x-www-form-encoded + +request.transforms: +- set: + target: header.Content-Type + value: application/x-www-form-urlencoded +- set: + target: url.params.query + value: get_recent +- set: + target: url.params.selector + value: time + +response.split: + target: body.data + +{{ else if eq .input "file" }} + +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - decode_json_fields: + fields: [message] + target: json + - fingerprint: + fields: ["json.md5_hash"] + target_field: "@metadata._id" + - add_fields: + target: '' + fields: + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/threatintel/malwarebazaar/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/malwarebazaar/ingest/pipeline.yml new file mode 100644 index 000000000000..56808b8f9ddb --- /dev/null +++ b/x-pack/filebeat/module/threatintel/malwarebazaar/ingest/pipeline.yml @@ -0,0 +1,209 @@ +description: Pipeline for parsing Malware Bazaar Threat Intel +processors: + +#################### +# Event ECS fields # +#################### +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- set: + field: event.kind + value: enrichment +- set: + field: event.category + value: threat +- set: + field: event.type + value: indicator + +###################### +# General ECS fields # +###################### +- rename: + field: json + target_field: threatintel.malwarebazaar + ignore_missing: true + +##################### +# Threat ECS Fields # +##################### +- date: + field: threatintel.malwarebazaar.first_seen + target_field: threatintel.indicator.first_seen + formats: + - "yyyy-MM-dd HH:mm:ss z" + - "yyyy-MM-dd HH:mm:ss Z" + - "yyyy-MM-dd HH:mm:ss" + if: "ctx?.threatintel?.malwarebazaar.first_seen != null" +- date: + field: threatintel.malwarebazaar.last_seen + target_field: threatintel.indicator.last_seen + formats: + - "yyyy-MM-dd HH:mm:ss z" + - "yyyy-MM-dd HH:mm:ss Z" + - "yyyy-MM-dd HH:mm:ss" + if: "ctx?.threatintel?.malwarebazaar.last_seen != null" +- set: + field: threatintel.indicator.type + value: file +- rename: + field: threatintel.malwarebazaar.file_name + target_field: threatintel.indicator.file.name + ignore_missing: true +- rename: + field: threatintel.malwarebazaar.file_type_mime + target_field: threatintel.indicator.file.mime_type + ignore_missing: true +- rename: + field: threatintel.malwarebazaar.reporter + target_field: threatintel.indicator.provider + ignore_missing: true +- rename: + field: threatintel.malwarebazaar.origin_country + target_field: threatintel.indicator.geo.country_iso_code + ignore_missing: true +- rename: + field: threatintel.malwarebazaar.signature + target_field: threatintel.indicator.signature + ignore_missing: true +- foreach: + field: threatintel.malwarebazaar.code_sign + ignore_missing: true + processor: + rename: + field: subject_cn + target_field: threatintel.indicator.file.x509.subject.common_name + rename: + field: issuer_cn + target_field: threatintel.indicator.file.x509.issuer.common_name + rename: + field: algorithm + target_field: threatintel.indicator.file.x509.public_key_algorithm + rename: + field: valid_from + target_field: threatintel.indicator.file.x509.not_before + rename: + field: valid_to + target_field: threatintel.indicator.file.x509.not_after + rename: + field: serial_number + target_field: threatintel.indicator.file.x509.serial_number +- rename: + field: threatintel.malwarebazaar.file_size + target_field: threatintel.indicator.file.size + ignore_missing: true +- rename: + field: threatintel.malwarebazaar.file_type + target_field: threatintel.indicator.file.extension + ignore_missing: true +- rename: + field: threatintel.malwarebazaar.md5_hash + target_field: threatintel.indicator.file.hash.md5 + ignore_missing: true +- rename: + field: threatintel.malwarebazaar.sha256_hash + target_field: threatintel.indicator.file.hash.sha256 + ignore_missing: true +- rename: + field: threatintel.malwarebazaar.sha1_hash + target_field: threatintel.indicator.file.hash.sha1 + ignore_missing: true +- rename: + field: threatintel.malwarebazaar.sha3_384_hash + target_field: threatintel.indicator.file.hash.sha384 + ignore_missing: true +- rename: + field: threatintel.malwarebazaar.imphash + target_field: threatintel.indicator.file.pe.imphash + ignore_missing: true +- rename: + field: threatintel.malwarebazaar.ssdeep + target_field: threatintel.indicator.file.hash.ssdeep + ignore_missing: true +- rename: + field: threatintel.malwarebazaar.tlsh + target_field: threatintel.indicator.file.hash.tlsh + ignore_missing: true +- rename: + field: threatintel.malwarebazaar.telfhash + target_field: threatintel.indicator.file.elf.telfhash + ignore_missing: true +- append: + field: related.hash + value: '{{ threatintel.indicator.file.hash.md5 }}' + if: ctx?.threatintel?.indicator?.file?.hash?.md5 != null +- append: + field: related.hash + value: '{{ threatintel.indicator.file.hash.sha256 }}' + if: ctx?.threatintel?.indicator?.file?.hash?.sha256 != null +- append: + field: related.hash + value: '{{ threatintel.indicator.file.hash.ssdeep }}' + if: ctx?.threatintel?.indicator?.file?.hash?.ssdeep != null +- append: + field: related.hash + value: '{{ threatintel.indicator.file.pe.imphash }}' + if: ctx?.threatintel?.indicator?.file?.pe?.imphash != null +- append: + field: related.hash + value: '{{ threatintel.indicator.file.elf.telfhash }}' + if: ctx?.threatintel?.indicator?.file?.elf?.telfhash != null +- append: + field: related.hash + value: '{{ threatintel.indicator.file.hash.tlsh }}' + if: ctx?.threatintel?.indicator?.file?.hash?.tlsh != null +- convert: + field: threatintel.indicator.file.size + type: long + ignore_missing: true +- convert: + field: threatintel.malwarebazaar.intelligence.downloads + type: long + ignore_missing: true +- convert: + field: threatintel.malwarebazaar.intelligence.uploads + type: long + ignore_missing: true + +###################### +# Cleanup processors # +###################### +- set: + field: threatintel.indicator.type + value: unknown + if: ctx?.threatintel?.indicator?.type == null +- script: + lang: painless + if: ctx?.threatintel != null + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + } + handleMap(ctx); +- remove: + field: + - threatintel.malwarebazaar.first_seen + - threatintel.malwarebazaar.last_seen + - message + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/threatintel/malwarebazaar/manifest.yml b/x-pack/filebeat/module/threatintel/malwarebazaar/manifest.yml new file mode 100644 index 000000000000..ca7a93e6a4ed --- /dev/null +++ b/x-pack/filebeat/module/threatintel/malwarebazaar/manifest.yml @@ -0,0 +1,16 @@ +module_version: 1.0 + +var: + - name: input + default: httpjson + - name: interval + default: 10m + - name: url + default: "https://mb-api.abuse.ch/api/v1/" + - name: ssl + - name: tags + default: [threatintel-malwarebazaar, forwarded] + +ingest_pipeline: + - ingest/pipeline.yml +input: config/config.yml diff --git a/x-pack/filebeat/module/threatintel/malwarebazaar/test/malwarebazaar.ndjson.log b/x-pack/filebeat/module/threatintel/malwarebazaar/test/malwarebazaar.ndjson.log new file mode 100644 index 000000000000..e743bb622ee0 --- /dev/null +++ b/x-pack/filebeat/module/threatintel/malwarebazaar/test/malwarebazaar.ndjson.log @@ -0,0 +1,9 @@ +{"sha256_hash":"5bce7d528c1363104a93fbb5a7fa9bdd991ce929cc09cc7fb29052a68d4fd24b","sha3_384_hash":"3b454eb6421d17d093f19292b64d30bf918cb91e9322d0e2d2512857997f574ea2ca5b005133c16f6c33c7cee9c1bd0e","sha1_hash":"a71fd0504821092e003f350080a6bcc5fa6a972e","md5_hash":"0af07660056a692b7cb82fa329221ddd","first_seen":"2021-04-06 20:34:58","last_seen":null,"file_name":"SALM0BRU.exe","file_size":399872,"file_type_mime":"application/x-dosexec","file_type":"exe","reporter":"James_inthe_box","origin_country":"US","anonymous":0,"signature":null,"imphash":"f34d5f2d4577ed6d9ceec516c1f5a744","tlsh":"F9848B24AF932F9BC6CCC1FE50C2D165C9A9F85DD2B1251A73B6CB89FE00544ED2C686","telfhash":null,"ssdeep":"3072:DsPPK3p+8r5igrL1Tq50cVBDmDJhE9yV4veedHrP6FXK7:D+PL8bronBDmDJ69JeedHriFG","tags":["exe"],"code_sign":[],"intelligence":{"clamav":null,"downloads":"15","uploads":"1","mail":null}} +{"sha256_hash":"83d0429a2c5f1b611ebc30391eeeb75bebb51212ee1af51dbcf2624b48f9d27f","sha3_384_hash":"0a1536add280715320040d5ac5340d3b205d90045ff5c90993b8e909edb9b3e9338b3ffbb3febcaf82584d00d516e8c7","sha1_hash":"c454be4eb0892d61a4ad6bac16f97724e73cd795","md5_hash":"296aad7075596d21516b30bfbc17fcac","first_seen":"2021-04-06 20:32:25","last_seen":null,"file_name":"PO_NO.ENQUIRY-210604.zip","file_size":476768,"file_type_mime":"application/zip","file_type":"zip","reporter":"GovCERT_CH","origin_country":"US","anonymous":0,"signature":null,"imphash":null,"tlsh":"74A4233B9A6D5CA02B224AA69F37537D13A8406300944EAEFD375CA431583056B9F6FF","telfhash":null,"ssdeep":"12288:j++y4mulTPaYJSaHwvJblQpLGwYeHU9vPpNGd+Zr:j3HPaMtQxblje01pNHZr","tags":null,"code_sign":[],"intelligence":{"clamav":null,"downloads":"11","uploads":"1","mail":null}} +{"sha256_hash":"f4910ea08d14eeb634084de47cf590d4dc5e554552f111da20d22ae71d7b425b","sha3_384_hash":"ee7586cb085fde3c14c9c1bea4635ccb30b1af2020f64e87a9983e61b05026ec9b35255670a3d9ecaab436c4ba302dcc","sha1_hash":"bf103996196df8255881127dee103c22fc12bef3","md5_hash":"a4838dd31c672122441bebcbf7e9d277","first_seen":"2021-04-06 20:12:29","last_seen":null,"file_name":"DropDll.dat","file_size":435926,"file_type_mime":"application/x-dosexec","file_type":"dll","reporter":"DmitriyMelikov","origin_country":"DE","anonymous":0,"signature":"Hancitor","imphash":"0b5a952a025c2783c3126cdb9bef2844","tlsh":"0C947D11BA96C473E572163008399F6A17BE7A900B704BDBE3CC097E4E755C24B36BA7","telfhash":null,"ssdeep":"12288:L2X/txpFDEVkUNglTovKfoLy+hqK/cEUMMlGOG:RzglgLm/9lGOG","tags":["Hancitor"],"code_sign":[],"intelligence":{"clamav":null,"downloads":"30","uploads":"1","mail":null}} +{"sha256_hash":"e45ffc61a85c2f5c0cbe9376ff215cad324bf14f925bf52ec0d2949f7d235a00","sha3_384_hash":"788f61cf45bbc8cad5775de18d0d5f42c4e028af0aaa34c570645efc96af8ebc3d7fe330aaf22ef34d35360bbd4a708c","sha1_hash":"a68ca1b41cb93fe2879bb3baeb8e19990758f099","md5_hash":"8d7c8b55ac49d241fb7f75a27a5ef8d5","first_seen":"2021-04-06 20:07:59","last_seen":null,"file_name":"vabsheche.py","file_size":11717,"file_type_mime":"text/x-script.python","file_type":"unknown","reporter":"ArkbirdDevil","origin_country":"FR","anonymous":0,"signature":null,"imphash":null,"tlsh":"AE3222515C6A881A03B3C66F7992B844FB588303C7116607F6FC86782F79568CAF1BBD","telfhash":null,"ssdeep":"192:z7X/yHo/yz/yBKiSOINLyhQMYd+LiTfq6LTf3ZoTta3Grj6rg2:z7CIKnNNLwufPfAPq7","tags":["backdoor","python"],"code_sign":[],"intelligence":{"clamav":null,"downloads":"27","uploads":"1","mail":null}} +{"sha256_hash":"42f5f5474431738f91f612d9765b3fc9b85a547274ea64aa034298ad97ad28f4","sha3_384_hash":"752e5d56a166227d06f8cbd40cd3f693f543f9c3f798c673c1430957bb7e149a12d9158138fa449479105f472e70f68f","sha1_hash":"e8378aede9f26f09b7d503d79a05d67612be15f6","md5_hash":"fe185f106730583156f39233f77f8019","first_seen":"2021-04-06 20:00:48","last_seen":null,"file_name":"42f5f5474431738f91f612d9765b3fc9b85a547274ea64aa034298ad97ad28f4.bin","file_size":7929856,"file_type_mime":"application/msword","file_type":"docx","reporter":"ArkbirdDevil","origin_country":"FR","anonymous":0,"signature":null,"imphash":null,"tlsh":"13863341B085EE2EE2CA41BA0DA9C2BD43B63D131E054F677269B72D3EB76E0E7D4144","telfhash":null,"ssdeep":"196608:KQaeKLOiBEp+uc+iuYmbMdHmN1Rwyd2jecXeaH1pHE+2:oeIOTp+p+iNJC1ChjhXZ1pHz2","tags":["maldoc"],"code_sign":[],"intelligence":{"clamav":null,"downloads":"21","uploads":"1","mail":null}} +{"sha256_hash":"2d705f0b76f24a18e08163db2f187140ee9f03e43697a9ea0d840c829692d43c","sha3_384_hash":"c82132559381b7b3b184b4ce8c7a58c301a46001621f346b637139f5987dee968ae2ef009a17b2388852b2db15a45b58","sha1_hash":"b2da45913353bfc66d189455f9ad80ef26968143","md5_hash":"70da6872b6b2da9ddc94d14b02302917","first_seen":"2021-04-06 19:58:50","last_seen":null,"file_name":"winlog.wll","file_size":131584,"file_type_mime":"application/x-dosexec","file_type":"dll","reporter":"ArkbirdDevil","origin_country":"FR","anonymous":0,"signature":null,"imphash":"6476b7c4dd55eafbdf922a7ba1e2d5f9","tlsh":"A2D38C067790C071DAAF013908799E624B7F7D70DDB49D8B77841A8E69342D0AF3AB27","telfhash":null,"ssdeep":"1536:2NVi7z0r0lJRn6I8+YDgr1fnWG5Ff0+adgBYlCtMiQMX1c0E4JsWjcdonPv870E1:YM7zh8+Cofnp5eRm6riQ6OZoPv870E","tags":["apt","tonto"],"code_sign":[],"intelligence":{"clamav":null,"downloads":"30","uploads":"1","mail":null}} +{"sha256_hash":"30787f32adc487311d764b19d4504fdeab08c0d385e2fa065bd8d5836c031606","sha3_384_hash":"a3ec981ed158fe08cc2cd97303807cfbed147e59ccfd92fcaa9395c5718b4d9b892d6e9fa6337f5976dc1bd042562fe4","sha1_hash":"3d613d5678e43faeea1c636185a0b4c3ec80e742","md5_hash":"de80e1d7d9f5b1c64ec9f8d4f5063989","first_seen":"2021-04-06 19:58:44","last_seen":null,"file_name":"30787f32adc487311d764b19d4504fdeab08c0d385e2fa065bd8d5836c031606.bin.sample","file_size":1088000,"file_type_mime":"application/msword","file_type":"docx","reporter":"DmitriyMelikov","origin_country":"DE","anonymous":0,"signature":null,"imphash":null,"tlsh":"8635D001BA82C573D5621A35083ADBAA177E7D604F704ADBB3C83B2E5D355C14B32BA7","telfhash":null,"ssdeep":"24576:WKEiZxl3A4yJJG2dPQQCthXzglgLm/9lGO:WKEGByvGOQQC/XElga/9lGO","tags":null,"code_sign":[],"intelligence":{"clamav":null,"downloads":"32","uploads":"1","mail":null}} +{"sha256_hash":"84f983067868de50e5b1553782c056c1f5b5118bb2084473ca4b6908f221cd3b","sha3_384_hash":"138dc28a74d15c1f9797ce732e99097c8c6db4549cb17cb7b20c1c6738a170328e45aea2d4c3b593912f14a97f521c1d","sha1_hash":"00b52e8ca1785d5086703ad8cff1d28fc3354934","md5_hash":"2759c73c986c6a757bf9d25621c5595a","first_seen":"2021-04-06 19:52:32","last_seen":null,"file_name":"Purchase Order.8000.scan.pdf...exe","file_size":752128,"file_type_mime":"application/x-dosexec","file_type":"exe","reporter":"James_inthe_box","origin_country":"FR","anonymous":0,"signature":"SnakeKeylogger","imphash":"f34d5f2d4577ed6d9ceec516c1f5a744","tlsh":"23F4AE212684C9C0D93E67B4D43584F003BABD16D631F69F6E887C693EB32D2D63B646","telfhash":null,"ssdeep":"12288:8t11ulRZRLZNh4YeX6f6XmwNShqE73YXy7moh:S11gZpZNmBX06WmAcy7m0","tags":["exe","SnakeKeylogger"],"code_sign":[],"intelligence":{"clamav":null,"downloads":"38","uploads":"1","mail":{"Generic":"low"}}} +{"sha256_hash":"0661d87116f44cbd5b5c6bec7fb06c4e5cd5b6ecbc5455d959e65f1ee46c54c8","sha3_384_hash":"ed5d03454121d81adf65a01ba90af81b1a7cea052709c22bb9170508069d17242861f85e5546b2cc3efb07c10926368c","sha1_hash":"a34fd5e57d75d17bc2d84055ca4752e5ee2e92f5","md5_hash":"596b3dbf07a287dcf76860b5e54762c3","first_seen":"2021-04-06 19:47:13","last_seen":null,"file_name":"New Order PO#121012020_____PDF_______.exe","file_size":836096,"file_type_mime":"application/x-dosexec","file_type":"exe","reporter":"James_inthe_box","origin_country":"FR","anonymous":0,"signature":"AgentTesla","imphash":"f34d5f2d4577ed6d9ceec516c1f5a744","tlsh":"A505CF712694C9A4FABD53B80434403007F5FE42E232FA9A6FD17C993E72782DA3B655","telfhash":null,"ssdeep":"12288:qRedcNeqimzAEmN03VgdZfBOMx+RVBM7pdWje9ppB5nAZGNY2:ZaNeqikqN0udZfBFUYp55nFN","tags":["AgentTesla","exe"],"code_sign":[],"intelligence":{"clamav":null,"downloads":"40","uploads":"1","mail":{"Generic":"low"}}} diff --git a/x-pack/filebeat/module/threatintel/malwarebazaar/test/malwarebazaar.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/malwarebazaar/test/malwarebazaar.ndjson.log-expected.json new file mode 100644 index 000000000000..a5978301da25 --- /dev/null +++ b/x-pack/filebeat/module/threatintel/malwarebazaar/test/malwarebazaar.ndjson.log-expected.json @@ -0,0 +1,393 @@ +[ + { + "event.category": "threat", + "event.dataset": "threatintel.malwarebazaar", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "malwarebazaar", + "input.type": "log", + "log.offset": 0, + "related.hash": [ + "0af07660056a692b7cb82fa329221ddd", + "5bce7d528c1363104a93fbb5a7fa9bdd991ce929cc09cc7fb29052a68d4fd24b", + "3072:DsPPK3p+8r5igrL1Tq50cVBDmDJhE9yV4veedHrP6FXK7:D+PL8bronBDmDJ69JeedHriFG", + "f34d5f2d4577ed6d9ceec516c1f5a744", + "F9848B24AF932F9BC6CCC1FE50C2D165C9A9F85DD2B1251A73B6CB89FE00544ED2C686" + ], + "service.type": "threatintel", + "tags": [ + "threatintel-malwarebazaar", + "forwarded" + ], + "threatintel.indicator.file.extension": "exe", + "threatintel.indicator.file.hash.md5": "0af07660056a692b7cb82fa329221ddd", + "threatintel.indicator.file.hash.sha1": "a71fd0504821092e003f350080a6bcc5fa6a972e", + "threatintel.indicator.file.hash.sha256": "5bce7d528c1363104a93fbb5a7fa9bdd991ce929cc09cc7fb29052a68d4fd24b", + "threatintel.indicator.file.hash.sha384": "3b454eb6421d17d093f19292b64d30bf918cb91e9322d0e2d2512857997f574ea2ca5b005133c16f6c33c7cee9c1bd0e", + "threatintel.indicator.file.hash.ssdeep": "3072:DsPPK3p+8r5igrL1Tq50cVBDmDJhE9yV4veedHrP6FXK7:D+PL8bronBDmDJ69JeedHriFG", + "threatintel.indicator.file.hash.tlsh": "F9848B24AF932F9BC6CCC1FE50C2D165C9A9F85DD2B1251A73B6CB89FE00544ED2C686", + "threatintel.indicator.file.mime_type": "application/x-dosexec", + "threatintel.indicator.file.name": "SALM0BRU.exe", + "threatintel.indicator.file.pe.imphash": "f34d5f2d4577ed6d9ceec516c1f5a744", + "threatintel.indicator.file.size": 399872, + "threatintel.indicator.first_seen": "2021-04-06T20:34:58.000Z", + "threatintel.indicator.geo.country_iso_code": "US", + "threatintel.indicator.provider": "James_inthe_box", + "threatintel.indicator.type": "file", + "threatintel.malwarebazaar.anonymous": 0, + "threatintel.malwarebazaar.code_sign": [], + "threatintel.malwarebazaar.intelligence.downloads": 15, + "threatintel.malwarebazaar.intelligence.uploads": 1, + "threatintel.malwarebazaar.tags": [ + "exe" + ] + }, + { + "event.category": "threat", + "event.dataset": "threatintel.malwarebazaar", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "malwarebazaar", + "input.type": "log", + "log.offset": 871, + "related.hash": [ + "296aad7075596d21516b30bfbc17fcac", + "83d0429a2c5f1b611ebc30391eeeb75bebb51212ee1af51dbcf2624b48f9d27f", + "12288:j++y4mulTPaYJSaHwvJblQpLGwYeHU9vPpNGd+Zr:j3HPaMtQxblje01pNHZr", + "74A4233B9A6D5CA02B224AA69F37537D13A8406300944EAEFD375CA431583056B9F6FF" + ], + "service.type": "threatintel", + "tags": [ + "threatintel-malwarebazaar", + "forwarded" + ], + "threatintel.indicator.file.extension": "zip", + "threatintel.indicator.file.hash.md5": "296aad7075596d21516b30bfbc17fcac", + "threatintel.indicator.file.hash.sha1": "c454be4eb0892d61a4ad6bac16f97724e73cd795", + "threatintel.indicator.file.hash.sha256": "83d0429a2c5f1b611ebc30391eeeb75bebb51212ee1af51dbcf2624b48f9d27f", + "threatintel.indicator.file.hash.sha384": "0a1536add280715320040d5ac5340d3b205d90045ff5c90993b8e909edb9b3e9338b3ffbb3febcaf82584d00d516e8c7", + "threatintel.indicator.file.hash.ssdeep": "12288:j++y4mulTPaYJSaHwvJblQpLGwYeHU9vPpNGd+Zr:j3HPaMtQxblje01pNHZr", + "threatintel.indicator.file.hash.tlsh": "74A4233B9A6D5CA02B224AA69F37537D13A8406300944EAEFD375CA431583056B9F6FF", + "threatintel.indicator.file.mime_type": "application/zip", + "threatintel.indicator.file.name": "PO_NO.ENQUIRY-210604.zip", + "threatintel.indicator.file.size": 476768, + "threatintel.indicator.first_seen": "2021-04-06T20:32:25.000Z", + "threatintel.indicator.geo.country_iso_code": "US", + "threatintel.indicator.provider": "GovCERT_CH", + "threatintel.indicator.type": "file", + "threatintel.malwarebazaar.anonymous": 0, + "threatintel.malwarebazaar.code_sign": [], + "threatintel.malwarebazaar.intelligence.downloads": 11, + "threatintel.malwarebazaar.intelligence.uploads": 1 + }, + { + "event.category": "threat", + "event.dataset": "threatintel.malwarebazaar", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "malwarebazaar", + "input.type": "log", + "log.offset": 1701, + "related.hash": [ + "a4838dd31c672122441bebcbf7e9d277", + "f4910ea08d14eeb634084de47cf590d4dc5e554552f111da20d22ae71d7b425b", + "12288:L2X/txpFDEVkUNglTovKfoLy+hqK/cEUMMlGOG:RzglgLm/9lGOG", + "0b5a952a025c2783c3126cdb9bef2844", + "0C947D11BA96C473E572163008399F6A17BE7A900B704BDBE3CC097E4E755C24B36BA7" + ], + "service.type": "threatintel", + "tags": [ + "threatintel-malwarebazaar", + "forwarded" + ], + "threatintel.indicator.file.extension": "dll", + "threatintel.indicator.file.hash.md5": "a4838dd31c672122441bebcbf7e9d277", + "threatintel.indicator.file.hash.sha1": "bf103996196df8255881127dee103c22fc12bef3", + "threatintel.indicator.file.hash.sha256": "f4910ea08d14eeb634084de47cf590d4dc5e554552f111da20d22ae71d7b425b", + "threatintel.indicator.file.hash.sha384": "ee7586cb085fde3c14c9c1bea4635ccb30b1af2020f64e87a9983e61b05026ec9b35255670a3d9ecaab436c4ba302dcc", + "threatintel.indicator.file.hash.ssdeep": "12288:L2X/txpFDEVkUNglTovKfoLy+hqK/cEUMMlGOG:RzglgLm/9lGOG", + "threatintel.indicator.file.hash.tlsh": "0C947D11BA96C473E572163008399F6A17BE7A900B704BDBE3CC097E4E755C24B36BA7", + "threatintel.indicator.file.mime_type": "application/x-dosexec", + "threatintel.indicator.file.name": "DropDll.dat", + "threatintel.indicator.file.pe.imphash": "0b5a952a025c2783c3126cdb9bef2844", + "threatintel.indicator.file.size": 435926, + "threatintel.indicator.first_seen": "2021-04-06T20:12:29.000Z", + "threatintel.indicator.geo.country_iso_code": "DE", + "threatintel.indicator.provider": "DmitriyMelikov", + "threatintel.indicator.signature": "Hancitor", + "threatintel.indicator.type": "file", + "threatintel.malwarebazaar.anonymous": 0, + "threatintel.malwarebazaar.code_sign": [], + "threatintel.malwarebazaar.intelligence.downloads": 30, + "threatintel.malwarebazaar.intelligence.uploads": 1, + "threatintel.malwarebazaar.tags": [ + "Hancitor" + ] + }, + { + "event.category": "threat", + "event.dataset": "threatintel.malwarebazaar", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "malwarebazaar", + "input.type": "log", + "log.offset": 2563, + "related.hash": [ + "8d7c8b55ac49d241fb7f75a27a5ef8d5", + "e45ffc61a85c2f5c0cbe9376ff215cad324bf14f925bf52ec0d2949f7d235a00", + "192:z7X/yHo/yz/yBKiSOINLyhQMYd+LiTfq6LTf3ZoTta3Grj6rg2:z7CIKnNNLwufPfAPq7", + "AE3222515C6A881A03B3C66F7992B844FB588303C7116607F6FC86782F79568CAF1BBD" + ], + "service.type": "threatintel", + "tags": [ + "threatintel-malwarebazaar", + "forwarded" + ], + "threatintel.indicator.file.extension": "unknown", + "threatintel.indicator.file.hash.md5": "8d7c8b55ac49d241fb7f75a27a5ef8d5", + "threatintel.indicator.file.hash.sha1": "a68ca1b41cb93fe2879bb3baeb8e19990758f099", + "threatintel.indicator.file.hash.sha256": "e45ffc61a85c2f5c0cbe9376ff215cad324bf14f925bf52ec0d2949f7d235a00", + "threatintel.indicator.file.hash.sha384": "788f61cf45bbc8cad5775de18d0d5f42c4e028af0aaa34c570645efc96af8ebc3d7fe330aaf22ef34d35360bbd4a708c", + "threatintel.indicator.file.hash.ssdeep": "192:z7X/yHo/yz/yBKiSOINLyhQMYd+LiTfq6LTf3ZoTta3Grj6rg2:z7CIKnNNLwufPfAPq7", + "threatintel.indicator.file.hash.tlsh": "AE3222515C6A881A03B3C66F7992B844FB588303C7116607F6FC86782F79568CAF1BBD", + "threatintel.indicator.file.mime_type": "text/x-script.python", + "threatintel.indicator.file.name": "vabsheche.py", + "threatintel.indicator.file.size": 11717, + "threatintel.indicator.first_seen": "2021-04-06T20:07:59.000Z", + "threatintel.indicator.geo.country_iso_code": "FR", + "threatintel.indicator.provider": "ArkbirdDevil", + "threatintel.indicator.type": "file", + "threatintel.malwarebazaar.anonymous": 0, + "threatintel.malwarebazaar.code_sign": [], + "threatintel.malwarebazaar.intelligence.downloads": 27, + "threatintel.malwarebazaar.intelligence.uploads": 1, + "threatintel.malwarebazaar.tags": [ + "backdoor", + "python" + ] + }, + { + "event.category": "threat", + "event.dataset": "threatintel.malwarebazaar", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "malwarebazaar", + "input.type": "log", + "log.offset": 3414, + "related.hash": [ + "fe185f106730583156f39233f77f8019", + "42f5f5474431738f91f612d9765b3fc9b85a547274ea64aa034298ad97ad28f4", + "196608:KQaeKLOiBEp+uc+iuYmbMdHmN1Rwyd2jecXeaH1pHE+2:oeIOTp+p+iNJC1ChjhXZ1pHz2", + "13863341B085EE2EE2CA41BA0DA9C2BD43B63D131E054F677269B72D3EB76E0E7D4144" + ], + "service.type": "threatintel", + "tags": [ + "threatintel-malwarebazaar", + "forwarded" + ], + "threatintel.indicator.file.extension": "docx", + "threatintel.indicator.file.hash.md5": "fe185f106730583156f39233f77f8019", + "threatintel.indicator.file.hash.sha1": "e8378aede9f26f09b7d503d79a05d67612be15f6", + "threatintel.indicator.file.hash.sha256": "42f5f5474431738f91f612d9765b3fc9b85a547274ea64aa034298ad97ad28f4", + "threatintel.indicator.file.hash.sha384": "752e5d56a166227d06f8cbd40cd3f693f543f9c3f798c673c1430957bb7e149a12d9158138fa449479105f472e70f68f", + "threatintel.indicator.file.hash.ssdeep": "196608:KQaeKLOiBEp+uc+iuYmbMdHmN1Rwyd2jecXeaH1pHE+2:oeIOTp+p+iNJC1ChjhXZ1pHz2", + "threatintel.indicator.file.hash.tlsh": "13863341B085EE2EE2CA41BA0DA9C2BD43B63D131E054F677269B72D3EB76E0E7D4144", + "threatintel.indicator.file.mime_type": "application/msword", + "threatintel.indicator.file.name": "42f5f5474431738f91f612d9765b3fc9b85a547274ea64aa034298ad97ad28f4.bin", + "threatintel.indicator.file.size": 7929856, + "threatintel.indicator.first_seen": "2021-04-06T20:00:48.000Z", + "threatintel.indicator.geo.country_iso_code": "FR", + "threatintel.indicator.provider": "ArkbirdDevil", + "threatintel.indicator.type": "file", + "threatintel.malwarebazaar.anonymous": 0, + "threatintel.malwarebazaar.code_sign": [], + "threatintel.malwarebazaar.intelligence.downloads": 21, + "threatintel.malwarebazaar.intelligence.uploads": 1, + "threatintel.malwarebazaar.tags": [ + "maldoc" + ] + }, + { + "event.category": "threat", + "event.dataset": "threatintel.malwarebazaar", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "malwarebazaar", + "input.type": "log", + "log.offset": 4311, + "related.hash": [ + "70da6872b6b2da9ddc94d14b02302917", + "2d705f0b76f24a18e08163db2f187140ee9f03e43697a9ea0d840c829692d43c", + "1536:2NVi7z0r0lJRn6I8+YDgr1fnWG5Ff0+adgBYlCtMiQMX1c0E4JsWjcdonPv870E1:YM7zh8+Cofnp5eRm6riQ6OZoPv870E", + "6476b7c4dd55eafbdf922a7ba1e2d5f9", + "A2D38C067790C071DAAF013908799E624B7F7D70DDB49D8B77841A8E69342D0AF3AB27" + ], + "service.type": "threatintel", + "tags": [ + "threatintel-malwarebazaar", + "forwarded" + ], + "threatintel.indicator.file.extension": "dll", + "threatintel.indicator.file.hash.md5": "70da6872b6b2da9ddc94d14b02302917", + "threatintel.indicator.file.hash.sha1": "b2da45913353bfc66d189455f9ad80ef26968143", + "threatintel.indicator.file.hash.sha256": "2d705f0b76f24a18e08163db2f187140ee9f03e43697a9ea0d840c829692d43c", + "threatintel.indicator.file.hash.sha384": "c82132559381b7b3b184b4ce8c7a58c301a46001621f346b637139f5987dee968ae2ef009a17b2388852b2db15a45b58", + "threatintel.indicator.file.hash.ssdeep": "1536:2NVi7z0r0lJRn6I8+YDgr1fnWG5Ff0+adgBYlCtMiQMX1c0E4JsWjcdonPv870E1:YM7zh8+Cofnp5eRm6riQ6OZoPv870E", + "threatintel.indicator.file.hash.tlsh": "A2D38C067790C071DAAF013908799E624B7F7D70DDB49D8B77841A8E69342D0AF3AB27", + "threatintel.indicator.file.mime_type": "application/x-dosexec", + "threatintel.indicator.file.name": "winlog.wll", + "threatintel.indicator.file.pe.imphash": "6476b7c4dd55eafbdf922a7ba1e2d5f9", + "threatintel.indicator.file.size": 131584, + "threatintel.indicator.first_seen": "2021-04-06T19:58:50.000Z", + "threatintel.indicator.geo.country_iso_code": "FR", + "threatintel.indicator.provider": "ArkbirdDevil", + "threatintel.indicator.type": "file", + "threatintel.malwarebazaar.anonymous": 0, + "threatintel.malwarebazaar.code_sign": [], + "threatintel.malwarebazaar.intelligence.downloads": 30, + "threatintel.malwarebazaar.intelligence.uploads": 1, + "threatintel.malwarebazaar.tags": [ + "apt", + "tonto" + ] + }, + { + "event.category": "threat", + "event.dataset": "threatintel.malwarebazaar", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "malwarebazaar", + "input.type": "log", + "log.offset": 5209, + "related.hash": [ + "de80e1d7d9f5b1c64ec9f8d4f5063989", + "30787f32adc487311d764b19d4504fdeab08c0d385e2fa065bd8d5836c031606", + "24576:WKEiZxl3A4yJJG2dPQQCthXzglgLm/9lGO:WKEGByvGOQQC/XElga/9lGO", + "8635D001BA82C573D5621A35083ADBAA177E7D604F704ADBB3C83B2E5D355C14B32BA7" + ], + "service.type": "threatintel", + "tags": [ + "threatintel-malwarebazaar", + "forwarded" + ], + "threatintel.indicator.file.extension": "docx", + "threatintel.indicator.file.hash.md5": "de80e1d7d9f5b1c64ec9f8d4f5063989", + "threatintel.indicator.file.hash.sha1": "3d613d5678e43faeea1c636185a0b4c3ec80e742", + "threatintel.indicator.file.hash.sha256": "30787f32adc487311d764b19d4504fdeab08c0d385e2fa065bd8d5836c031606", + "threatintel.indicator.file.hash.sha384": "a3ec981ed158fe08cc2cd97303807cfbed147e59ccfd92fcaa9395c5718b4d9b892d6e9fa6337f5976dc1bd042562fe4", + "threatintel.indicator.file.hash.ssdeep": "24576:WKEiZxl3A4yJJG2dPQQCthXzglgLm/9lGO:WKEGByvGOQQC/XElga/9lGO", + "threatintel.indicator.file.hash.tlsh": "8635D001BA82C573D5621A35083ADBAA177E7D604F704ADBB3C83B2E5D355C14B32BA7", + "threatintel.indicator.file.mime_type": "application/msword", + "threatintel.indicator.file.name": "30787f32adc487311d764b19d4504fdeab08c0d385e2fa065bd8d5836c031606.bin.sample", + "threatintel.indicator.file.size": 1088000, + "threatintel.indicator.first_seen": "2021-04-06T19:58:44.000Z", + "threatintel.indicator.geo.country_iso_code": "DE", + "threatintel.indicator.provider": "DmitriyMelikov", + "threatintel.indicator.type": "file", + "threatintel.malwarebazaar.anonymous": 0, + "threatintel.malwarebazaar.code_sign": [], + "threatintel.malwarebazaar.intelligence.downloads": 32, + "threatintel.malwarebazaar.intelligence.uploads": 1 + }, + { + "event.category": "threat", + "event.dataset": "threatintel.malwarebazaar", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "malwarebazaar", + "input.type": "log", + "log.offset": 6096, + "related.hash": [ + "2759c73c986c6a757bf9d25621c5595a", + "84f983067868de50e5b1553782c056c1f5b5118bb2084473ca4b6908f221cd3b", + "12288:8t11ulRZRLZNh4YeX6f6XmwNShqE73YXy7moh:S11gZpZNmBX06WmAcy7m0", + "f34d5f2d4577ed6d9ceec516c1f5a744", + "23F4AE212684C9C0D93E67B4D43584F003BABD16D631F69F6E887C693EB32D2D63B646" + ], + "service.type": "threatintel", + "tags": [ + "threatintel-malwarebazaar", + "forwarded" + ], + "threatintel.indicator.file.extension": "exe", + "threatintel.indicator.file.hash.md5": "2759c73c986c6a757bf9d25621c5595a", + "threatintel.indicator.file.hash.sha1": "00b52e8ca1785d5086703ad8cff1d28fc3354934", + "threatintel.indicator.file.hash.sha256": "84f983067868de50e5b1553782c056c1f5b5118bb2084473ca4b6908f221cd3b", + "threatintel.indicator.file.hash.sha384": "138dc28a74d15c1f9797ce732e99097c8c6db4549cb17cb7b20c1c6738a170328e45aea2d4c3b593912f14a97f521c1d", + "threatintel.indicator.file.hash.ssdeep": "12288:8t11ulRZRLZNh4YeX6f6XmwNShqE73YXy7moh:S11gZpZNmBX06WmAcy7m0", + "threatintel.indicator.file.hash.tlsh": "23F4AE212684C9C0D93E67B4D43584F003BABD16D631F69F6E887C693EB32D2D63B646", + "threatintel.indicator.file.mime_type": "application/x-dosexec", + "threatintel.indicator.file.name": "Purchase Order.8000.scan.pdf...exe", + "threatintel.indicator.file.pe.imphash": "f34d5f2d4577ed6d9ceec516c1f5a744", + "threatintel.indicator.file.size": 752128, + "threatintel.indicator.first_seen": "2021-04-06T19:52:32.000Z", + "threatintel.indicator.geo.country_iso_code": "FR", + "threatintel.indicator.provider": "James_inthe_box", + "threatintel.indicator.signature": "SnakeKeylogger", + "threatintel.indicator.type": "file", + "threatintel.malwarebazaar.anonymous": 0, + "threatintel.malwarebazaar.code_sign": [], + "threatintel.malwarebazaar.intelligence.downloads": 38, + "threatintel.malwarebazaar.intelligence.mail.Generic": "low", + "threatintel.malwarebazaar.intelligence.uploads": 1, + "threatintel.malwarebazaar.tags": [ + "exe", + "SnakeKeylogger" + ] + }, + { + "event.category": "threat", + "event.dataset": "threatintel.malwarebazaar", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "malwarebazaar", + "input.type": "log", + "log.offset": 7020, + "related.hash": [ + "596b3dbf07a287dcf76860b5e54762c3", + "0661d87116f44cbd5b5c6bec7fb06c4e5cd5b6ecbc5455d959e65f1ee46c54c8", + "12288:qRedcNeqimzAEmN03VgdZfBOMx+RVBM7pdWje9ppB5nAZGNY2:ZaNeqikqN0udZfBFUYp55nFN", + "f34d5f2d4577ed6d9ceec516c1f5a744", + "A505CF712694C9A4FABD53B80434403007F5FE42E232FA9A6FD17C993E72782DA3B655" + ], + "service.type": "threatintel", + "tags": [ + "threatintel-malwarebazaar", + "forwarded" + ], + "threatintel.indicator.file.extension": "exe", + "threatintel.indicator.file.hash.md5": "596b3dbf07a287dcf76860b5e54762c3", + "threatintel.indicator.file.hash.sha1": "a34fd5e57d75d17bc2d84055ca4752e5ee2e92f5", + "threatintel.indicator.file.hash.sha256": "0661d87116f44cbd5b5c6bec7fb06c4e5cd5b6ecbc5455d959e65f1ee46c54c8", + "threatintel.indicator.file.hash.sha384": "ed5d03454121d81adf65a01ba90af81b1a7cea052709c22bb9170508069d17242861f85e5546b2cc3efb07c10926368c", + "threatintel.indicator.file.hash.ssdeep": "12288:qRedcNeqimzAEmN03VgdZfBOMx+RVBM7pdWje9ppB5nAZGNY2:ZaNeqikqN0udZfBFUYp55nFN", + "threatintel.indicator.file.hash.tlsh": "A505CF712694C9A4FABD53B80434403007F5FE42E232FA9A6FD17C993E72782DA3B655", + "threatintel.indicator.file.mime_type": "application/x-dosexec", + "threatintel.indicator.file.name": "New Order PO#121012020_____PDF_______.exe", + "threatintel.indicator.file.pe.imphash": "f34d5f2d4577ed6d9ceec516c1f5a744", + "threatintel.indicator.file.size": 836096, + "threatintel.indicator.first_seen": "2021-04-06T19:47:13.000Z", + "threatintel.indicator.geo.country_iso_code": "FR", + "threatintel.indicator.provider": "James_inthe_box", + "threatintel.indicator.signature": "AgentTesla", + "threatintel.indicator.type": "file", + "threatintel.malwarebazaar.anonymous": 0, + "threatintel.malwarebazaar.code_sign": [], + "threatintel.malwarebazaar.intelligence.downloads": 40, + "threatintel.malwarebazaar.intelligence.mail.Generic": "low", + "threatintel.malwarebazaar.intelligence.uploads": 1, + "threatintel.malwarebazaar.tags": [ + "AgentTesla", + "exe" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/modules.d/threatintel.yml.disabled b/x-pack/filebeat/modules.d/threatintel.yml.disabled index b461d91e218e..e64e05a81f73 100644 --- a/x-pack/filebeat/modules.d/threatintel.yml.disabled +++ b/x-pack/filebeat/modules.d/threatintel.yml.disabled @@ -26,6 +26,18 @@ # The interval to poll the API for updates. var.interval: 10m + malwarebazaar: + enabled: true + + # Input used for ingesting threat intel data. + var.input: httpjson + + # The URL used for Threat Intel API calls. + var.url: https://mb-api.abuse.ch/api/v1/ + + # The interval to poll the API for updates. + var.interval: 10m + misp: enabled: true @@ -45,7 +57,7 @@ # Optional filters that can be applied to the API for filtering out results. This should support the majority of fields in a MISP context. # For examples please reference the filebeat module documentation. #var.filters: - # - threat_level: [4, 5] + # - threat_level: [4, 5] # - to_ids: true # How far back to look once the beat starts up for the first time, the value has to be in hours. Each request afterwards will filter on any event newer @@ -81,6 +93,8 @@ # The interval to poll the API for updates var.interval: 5m + +======= anomali: enabled: true