[Filebeat] Threat Intel field for the abuseurl fileset in the threatintel module does not match the docs

[ajosh0504]

According to the docs, the Threat Intel field corresponding to the full URL for the abuseurl fileset in the threatintel module is threat.indicator.url.full.

However, I enabled the threatintel module for filebeat for some testing I was doing and the ingested documents don't have the threat.indicator.url.full field, but instead contain the field threatintel.indicator.url.original which has the full URL. A sample ingested document from my test is as follows:

{
        "_index" : "filebeat-7.13.2-2021.06.15-000001",
        "_type" : "_doc",
        "_id" : "ac4f460331703ca38dc4ef7a42ebdc50cac5277c4645d048bffc8d353f0e8456",
        "_score" : 0.7495581,
        "_source" : {
          "agent" : {
            "hostname" : "endgame-PC",
            "name" : "endgame-PC",
            "id" : "e9efb101-ddb6-4b58-b287-906e7530267a",
            "ephemeral_id" : "6b481ea5-90a8-46d9-b9dc-f7d26f8f2442",
            "type" : "filebeat",
            "version" : "7.13.2"
          },
          "fileset" : {
            "name" : "abuseurl"
          },
          "threatintel" : {
            "indicator" : {
              "first_seen" : "2021-06-15T16:39:04.000Z",
              "provider" : "zbetcheckin",
              "domain" : "176.121.14.128",
              "type" : "url",
              "url" : {
                "path" : "/updatetes.exe",
                "extension" : "exe",
                "original" : "http://176.121.14.128/updatetes.exe",
                "scheme" : "http",
                "domain" : "176.121.14.128"
              }
            },
            "abuseurl" : {
              "larted" : true,
              "url_status" : "online",
              "blacklists" : {
                "surbl" : "not listed",
                "spamhaus_dbl" : "not listed"
              },
              "id" : "1369673",
              "threat" : "malware_download",
              "tags" : [
                "32",
                "exe",
                "RedLineStealer"
              ]
            }
          },
          "tags" : [
            "threatintel-abuseurls",
            "forwarded"
          ],
          "input" : {
            "type" : "httpjson"
          },
          "@timestamp" : "2021-06-15T21:58:45.271Z",
          "ecs" : {
            "version" : "1.9.0"
          },
          "service" : {
            "type" : "threatintel"
          },
          "event" : {
            "reference" : "https://urlhaus.abuse.ch/url/1369673/",
            "ingested" : "2021-06-15T21:58:54.691595712Z",
            "created" : "2021-06-15T21:58:45.271Z",
            "kind" : "enrichment",
            "module" : "threatintel",
            "category" : "threat",
            "type" : "indicator",
            "dataset" : "threatintel.abuseurl"
          }
        }
      }

Not sure if it's the documentation or the module itself that's pointing to the wrong field.

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[peasead]

I think the issue might be here in {abuseurl,misp,otx,anomali}/ingest/pipeline.yml:

...
- rename:
    field: threatintel."module dataset".url
    target_field: threatintel.indicator.url.full
    ignore_missing: true
    if: ctx?.threatintel?.indicator?.url?.original == null && ctx?.threatintel?.abuseurl?.url != null
...

[P1llus]

That seems to be correct, I will see if I can push a change for this soon!
Thanks for the report, much appreciated! 👍

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)