|
1 | 1 | description: Pipeline for parsing Abuse.ch Malware Threat Intel |
2 | 2 | processors: |
3 | | - #################### |
4 | | - # Event ECS fields # |
5 | | - #################### |
6 | | - - set: |
7 | | - field: event.ingested |
8 | | - value: "{{_ingest.timestamp}}" |
9 | | - - set: |
10 | | - field: event.kind |
11 | | - value: enrichment |
12 | | - - set: |
13 | | - field: event.category |
14 | | - value: threat |
15 | | - - set: |
16 | | - field: event.type |
17 | | - value: indicator |
| 3 | + #################### |
| 4 | + # Event ECS fields # |
| 5 | + #################### |
| 6 | + - set: |
| 7 | + field: event.ingested |
| 8 | + value: "{{_ingest.timestamp}}" |
| 9 | + - set: |
| 10 | + field: event.kind |
| 11 | + value: enrichment |
| 12 | + - set: |
| 13 | + field: event.category |
| 14 | + value: threat |
| 15 | + - set: |
| 16 | + field: event.type |
| 17 | + value: indicator |
18 | 18 |
|
19 | | - ###################### |
20 | | - # General ECS fields # |
21 | | - ###################### |
22 | | - - rename: |
23 | | - field: json |
24 | | - target_field: threatintel.abusemalware |
25 | | - ignore_missing: true |
| 19 | + ###################### |
| 20 | + # General ECS fields # |
| 21 | + ###################### |
| 22 | + - rename: |
| 23 | + field: json |
| 24 | + target_field: threatintel.abusemalware |
| 25 | + ignore_missing: true |
26 | 26 |
|
27 | | - ##################### |
28 | | - # Threat ECS Fields # |
29 | | - ##################### |
30 | | - - date: |
31 | | - field: threatintel.abusemalware.firstseen |
32 | | - target_field: threatintel.indicator.first_seen |
33 | | - formats: |
34 | | - - "yyyy-MM-dd HH:mm:ss z" |
35 | | - - "yyyy-MM-dd HH:mm:ss Z" |
36 | | - - "yyyy-MM-dd HH:mm:ss" |
37 | | - if: "ctx?.threatintel?.abusemalware.firstseen != null" |
38 | | - - set: |
39 | | - field: threatintel.indicator.type |
40 | | - value: file |
41 | | - - rename: |
42 | | - field: threatintel.abusemalware.file_size |
43 | | - target_field: threatintel.indicator.file.size |
44 | | - ignore_missing: true |
45 | | - - rename: |
46 | | - field: threatintel.abusemalware.file_type |
47 | | - target_field: threatintel.indicator.file.type |
48 | | - ignore_missing: true |
49 | | - # This includes a direct link to malicious files, we do not want them to appear in Kibana |
50 | | - # in case they are accidently clicked. |
51 | | - - remove: |
52 | | - field: threatintel.abusemalware.urlhaus_download |
53 | | - ignore_missing: true |
54 | | - - convert: |
55 | | - field: threatintel.indicator.file.size |
56 | | - type: long |
57 | | - ignore_missing: true |
58 | | - - rename: |
59 | | - field: threatintel.abusemalware.md5_hash |
60 | | - target_field: threatintel.indicator.file.hash.md5 |
61 | | - ignore_missing: true |
62 | | - - rename: |
63 | | - field: threatintel.abusemalware.sha256_hash |
64 | | - target_field: threatintel.indicator.file.hash.sha256 |
65 | | - ignore_missing: true |
66 | | - - rename: |
67 | | - field: threatintel.abusemalware.imphash |
68 | | - target_field: threatintel.indicator.file.pe.imphash |
69 | | - ignore_missing: true |
70 | | - - rename: |
71 | | - field: threatintel.abusemalware.ssdeep |
72 | | - target_field: threatintel.indicator.file.hash.ssdeep |
73 | | - ignore_missing: true |
74 | | - - rename: |
75 | | - field: threatintel.abusemalware.tlsh |
76 | | - target_field: threatintel.indicator.file.hash.tlsh |
77 | | - ignore_missing: true |
78 | | - - append: |
79 | | - field: related.hash |
80 | | - value: "{{ threatintel.indicator.file.hash.md5 }}" |
81 | | - if: ctx?.threatintel?.indicator?.file?.hash?.md5 != null |
82 | | - - append: |
83 | | - field: related.hash |
84 | | - value: "{{ threatintel.indicator.file.hash.sha256 }}" |
85 | | - if: ctx?.threatintel?.indicator?.file?.hash?.sha256 != null |
86 | | - - append: |
87 | | - field: related.hash |
88 | | - value: "{{ threatintel.indicator.file.hash.ssdeep }}" |
89 | | - if: ctx?.threatintel?.indicator?.file?.hash?.ssdeep != null |
90 | | - - append: |
91 | | - field: related.hash |
92 | | - value: "{{ threatintel.indicator.file.pe.imphash }}" |
93 | | - if: ctx?.threatintel?.indicator?.file?.pe?.imphash != null |
94 | | - - append: |
95 | | - field: related.hash |
96 | | - value: "{{ threatintel.indicator.file.hash.tlsh }}" |
97 | | - if: ctx?.threatintel?.indicator?.file?.hash?.tlsh != null |
| 27 | + ##################### |
| 28 | + # Threat ECS Fields # |
| 29 | + ##################### |
| 30 | + - date: |
| 31 | + field: threatintel.abusemalware.firstseen |
| 32 | + target_field: threatintel.indicator.first_seen |
| 33 | + formats: |
| 34 | + - "yyyy-MM-dd HH:mm:ss z" |
| 35 | + - "yyyy-MM-dd HH:mm:ss Z" |
| 36 | + - "yyyy-MM-dd HH:mm:ss" |
| 37 | + if: "ctx?.threatintel?.abusemalware.firstseen != null" |
| 38 | + - set: |
| 39 | + field: threatintel.indicator.type |
| 40 | + value: file |
| 41 | + - rename: |
| 42 | + field: threatintel.abusemalware.file_size |
| 43 | + target_field: threatintel.indicator.file.size |
| 44 | + ignore_missing: true |
| 45 | + - rename: |
| 46 | + field: threatintel.abusemalware.file_type |
| 47 | + target_field: threatintel.indicator.file.type |
| 48 | + ignore_missing: true |
| 49 | + # This includes a direct link to malicious files, we do not want them to appear in Kibana |
| 50 | + # in case they are accidently clicked. |
| 51 | + - remove: |
| 52 | + field: threatintel.abusemalware.urlhaus_download |
| 53 | + ignore_missing: true |
| 54 | + - convert: |
| 55 | + field: threatintel.indicator.file.size |
| 56 | + type: long |
| 57 | + ignore_missing: true |
| 58 | + - rename: |
| 59 | + field: threatintel.abusemalware.md5_hash |
| 60 | + target_field: threatintel.indicator.file.hash.md5 |
| 61 | + ignore_missing: true |
| 62 | + - rename: |
| 63 | + field: threatintel.abusemalware.sha256_hash |
| 64 | + target_field: threatintel.indicator.file.hash.sha256 |
| 65 | + ignore_missing: true |
| 66 | + - rename: |
| 67 | + field: threatintel.abusemalware.imphash |
| 68 | + target_field: threatintel.indicator.file.pe.imphash |
| 69 | + ignore_missing: true |
| 70 | + - rename: |
| 71 | + field: threatintel.abusemalware.ssdeep |
| 72 | + target_field: threatintel.indicator.file.hash.ssdeep |
| 73 | + ignore_missing: true |
| 74 | + - rename: |
| 75 | + field: threatintel.abusemalware.tlsh |
| 76 | + target_field: threatintel.indicator.file.hash.tlsh |
| 77 | + ignore_missing: true |
| 78 | + - append: |
| 79 | + field: related.hash |
| 80 | + value: "{{ threatintel.indicator.file.hash.md5 }}" |
| 81 | + if: ctx?.threatintel?.indicator?.file?.hash?.md5 != null |
| 82 | + - append: |
| 83 | + field: related.hash |
| 84 | + value: "{{ threatintel.indicator.file.hash.sha256 }}" |
| 85 | + if: ctx?.threatintel?.indicator?.file?.hash?.sha256 != null |
| 86 | + - append: |
| 87 | + field: related.hash |
| 88 | + value: "{{ threatintel.indicator.file.hash.ssdeep }}" |
| 89 | + if: ctx?.threatintel?.indicator?.file?.hash?.ssdeep != null |
| 90 | + - append: |
| 91 | + field: related.hash |
| 92 | + value: "{{ threatintel.indicator.file.pe.imphash }}" |
| 93 | + if: ctx?.threatintel?.indicator?.file?.pe?.imphash != null |
| 94 | + - append: |
| 95 | + field: related.hash |
| 96 | + value: "{{ threatintel.indicator.file.hash.tlsh }}" |
| 97 | + if: ctx?.threatintel?.indicator?.file?.hash?.tlsh != null |
98 | 98 |
|
99 | | - ###################### |
100 | | - # Cleanup processors # |
101 | | - ###################### |
102 | | - - set: |
103 | | - field: threatintel.indicator.type |
104 | | - value: unknown |
105 | | - if: ctx?.threatintel?.indicator?.type == null |
106 | | - - script: |
107 | | - lang: painless |
108 | | - if: ctx?.threatintel != null |
109 | | - source: | |
110 | | - void handleMap(Map map) { |
111 | | - for (def x : map.values()) { |
112 | | - if (x instanceof Map) { |
113 | | - handleMap(x); |
114 | | - } else if (x instanceof List) { |
115 | | - handleList(x); |
116 | | - } |
117 | | - } |
118 | | - map.values().removeIf(v -> v == null); |
| 99 | + ###################### |
| 100 | + # Cleanup processors # |
| 101 | + ###################### |
| 102 | + - set: |
| 103 | + field: threatintel.indicator.type |
| 104 | + value: unknown |
| 105 | + if: ctx?.threatintel?.indicator?.type == null |
| 106 | + - script: |
| 107 | + lang: painless |
| 108 | + if: ctx?.threatintel != null |
| 109 | + source: | |
| 110 | + void handleMap(Map map) { |
| 111 | + for (def x : map.values()) { |
| 112 | + if (x instanceof Map) { |
| 113 | + handleMap(x); |
| 114 | + } else if (x instanceof List) { |
| 115 | + handleList(x); |
| 116 | + } |
| 117 | + } |
| 118 | + map.values().removeIf(v -> v == null); |
| 119 | + } |
| 120 | + void handleList(List list) { |
| 121 | + for (def x : list) { |
| 122 | + if (x instanceof Map) { |
| 123 | + handleMap(x); |
| 124 | + } else if (x instanceof List) { |
| 125 | + handleList(x); |
119 | 126 | } |
120 | | - void handleList(List list) { |
121 | | - for (def x : list) { |
122 | | - if (x instanceof Map) { |
123 | | - handleMap(x); |
124 | | - } else if (x instanceof List) { |
125 | | - handleList(x); |
126 | | - } |
127 | | - } |
128 | | - } |
129 | | - handleMap(ctx); |
130 | | - - remove: |
131 | | - field: |
132 | | - - threatintel.abusemalware.firstseen |
133 | | - - message |
134 | | - ignore_missing: true |
| 127 | + } |
| 128 | + } |
| 129 | + handleMap(ctx); |
| 130 | + - remove: |
| 131 | + field: |
| 132 | + - threatintel.abusemalware.firstseen |
| 133 | + - message |
| 134 | + ignore_missing: true |
135 | 135 | on_failure: |
136 | | - - set: |
137 | | - field: error.message |
138 | | - value: "{{ _ingest.on_failure_message }}" |
| 136 | + - set: |
| 137 | + field: error.message |
| 138 | + value: "{{ _ingest.on_failure_message }}" |
0 commit comments