Cherry-pick #21795 to 7.x: [Filebeat][New Module] Threat intel module for filebeat#24039
Merged
P1llus merged 2 commits intoelastic:7.xfrom Feb 15, 2021
Merged
Cherry-pick #21795 to 7.x: [Filebeat][New Module] Threat intel module for filebeat#24039P1llus merged 2 commits intoelastic:7.xfrom
P1llus merged 2 commits intoelastic:7.xfrom
Conversation
* inital MVP commit for threat intel module for filebeat * Fixing typos based on PR comments * adding converter for larted field * adding concept for a new MISP module * setting correct field type for misp group sharing id * setting timestamp to age of attribute timestamp * stashing initial support for AlienVault OTX * add threatintel.otx to timestamp bypass for testing * stashing upcoming changes for new httpjson format * updating settings with pagination * big overwrite of the whole module to fit the new TI ECS fields, add new test data, and make the ingest pipelines more sturdy * update default url for anomali * updating field names based on feedback * final commit fixing certain bugs, adding the missing field mapping etc * updating field defintion, it had a duplicate field * updating the anomali config to access the header in a safer way, allowing for special characters * added stripping of null values and made sure it looked at the correct document field * updating field mapping to default_field false * updating default config descriptions * disable default_field for top group * updating changelog * adding fallback for uri_parts when using older ES version * updating test_modules to ignore timestamps * adding support for uri_parts for all relevant ingest pipelines, and fallbacks * updating default config templates and docs based on PR comments * Update x-pack/filebeat/module/threatintel/_meta/docs.asciidoc Co-authored-by: Adrian Serrano <adrisr83@gmail.com> * mage update Co-authored-by: Adrian Serrano <adrisr83@gmail.com> (cherry picked from commit 70d00b9)
Contributor
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
Contributor
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
Trends 🧪💚 Flaky test reportTests succeeded. Expand to view the summary
Test stats 🧪
|
marc-gr
approved these changes
Feb 15, 2021
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Cherry-pick of PR #21795 to 7.x branch. Original message:
What does this PR do?
This PR adds a new module for threat intel, using each TI source as a fileset.
Why is it important?
Adds possibility to ingest Threat Intel data to be used for security usecases
Checklist
CHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.Resolves #23406