MISP (Elasticsearch Agent) Integration ver 1.26.0
Elasticsearch ver 8.11.1
Expecting threat.indicator.url.full (or whatever) to be populated from a MISP server URI attribute.
Request to the MISP server:
curl -X POST --header "Authorization: *" --header "Accept: application/json" --header "Content-Type: application/json" -d '
{
"type": "uri",
"to_ids": true,
"value":"http:\/\/druigvsegdaryadom.ir\/index.php"
}' https://10.1.1.31/attributes/restSearch
Response from the MISP server:
{"response": {"Attribute": [{"id":"474314","event_id":"2578","object_id":"0","object_relation":null,"category":"Network activity","type":"uri","to_ids":true,"uuid":"b3edd2ca-21de-44ff-ac58-40cb99cfdba1","timestamp":"1700488404","distribution":"5","sharing_group_id":"0","comment":"URI","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"http:\/\/druigvsegdaryadom.ir\/index.php","Event":{"org_id":"1","distribution":"3","id":"2578","info":"SmokeLoader \u0437 \u0442\u0435\u043c\u043e\u044e \u0440\u0430\u0445\u0443\u043d\u043a\u0456\u0432 (CERT-UA#8091)","orgc_id":"3","uuid":"9c56976c-cbdb-45e6-a185-dce19fab0b45"}}]}}
From above the "value":"http://druigvsegdaryadom.ir/index.php" exists in the MISP server with "Attribute": [{"id":"474314","event_id":"2578",...]
Elasticsearch search shows the corresponding document without the "value":"http://druigvsegdaryadom.ir/index.php":
{ "_index": ".ds-logs-ti_misp.threat_attributes-default-2023.11.22-000101", "_id": "Jw4paqCpkn1n/GIk+IWShoU2mEs=", "_version": 1, "_score": 0, "_source": { "input": {"type": "httpjson"}, "agent": { "name": "SIEM-INTEGR-1", "id": "0b30804e-ee26-42a1-acb1-8f76af13f78c", "type": "filebeat", "ephemeral_id": "223600bf-3b71-4762-ba6c-fc3e18a872f7", "version": "8.11.0" }, "@timestamp": "2023-11-20T13:53:24.000Z", "ecs": {"version": "8.11.0"}, "data_stream": { "namespace": "default", "type": "logs", "dataset": "ti_misp.threat_attributes" }, "organization": {"id": "1"}, "elastic_agent": { "id": "0b30804e-ee26-42a1-acb1-8f76af13f78c", "version": "8.11.0", "snapshot": false }, "misp": { "attribute": { "distribution": 5, "type": "uri", "object_id": "0", "uuid": "b3edd2ca-21de-44ff-ac58-40cb99cfdba1", "to_ids": true, "disable_correlation": false, "deleted": false, "event_id": "2578", "sharing_group_id": "0", "comment": "URI", "id": "474314", "category": "Network activity" }, "event": { "id": "2578", "distribution": 3, "orgc_id": "3", "uuid": "9c56976c-cbdb-45e6-a185-dce19fab0b45", "info": "SmokeLoader" } }, "threat": { "indicator": { "provider": "misp", "type": "url" }, "feed": {"name": "MISP"} }, "event": { "agent_id_status": "verified", "ingested": "2023-11-22T02:04:02Z", "created": "2023-11-22T02:03:54.514Z", "kind": "enrichment", "category": [ "threat" ], "type": ["indicator"], "dataset": "ti_misp.threat_attributes" }, "tags": ["forwarded","misp-threat_attributes"] }, "fields": { "threat.indicator.type": ["url"], "misp.attribute.object_id": ["0"], "misp.attribute.to_ids": [true], "misp.attribute.distribution": [5], "elastic_agent.version": ["8.11.0"], "event.category": ["threat"], "misp.attribute.category": ["Network activity"], "threat.indicator.provider": ["misp"], "agent.type": ["filebeat"], "misp.event.info": ["SmokeLoader"], "event.module": ["ti_misp"], "misp.attribute.sharing_group_id": ["0"], "agent.name": ["SIEM-INTEGR-1"], "elastic_agent.snapshot": [false], "event.agent_id_status": ["verified"], "event.kind": ["enrichment"], "misp.attribute.deleted": [false], "threat.feed.name": ["MISP"], "elastic_agent.id": ["0b30804e-ee26-42a1-acb1-8f76af13f78c"], "data_stream.namespace": ["default"], "misp.attribute.disable_correlation": [false], "misp.event.orgc_id": ["3"], "misp.event.id": ["2578"], "input.type": ["httpjson"], "data_stream.type": ["logs"], "misp.event.uuid": ["9c56976c-cbdb-45e6-a185-dce19fab0b45"], "tags": ["forwarded","misp-threat_attributes"], "misp.attribute.id": ["474314"], "event.ingested": ["2023-11-22T02:04:02.000Z"], "misp.attribute.type": ["uri"], "@timestamp": ["2023-11-20T13:53:24.000Z"], "threat.feed.dashboard_id": ["ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294"], "agent.id": ["0b30804e-ee26-42a1-acb1-8f76af13f78c"], "ecs.version": ["8.11.0"], "misp.attribute.event_id": ["2578"], "misp.attribute.uuid": ["b3edd2ca-21de-44ff-ac58-40cb99cfdba1"], "misp.event.distribution": [ 3 ], "data_stream.dataset": [ "ti_misp.threat_attributes" ], "event.created": [ "2023-11-22T02:03:54.514Z" ], "event.type": [ "indicator" ], "misp.attribute.comment": ["URI"], "agent.ephemeral_id": ["223600bf-3b71-4762-ba6c-fc3e18a872f7"], "organization.id": ["1" ], "agent.version": ["8.11.0"], "event.dataset": ["ti_misp.threat_attributes"] } }
MISP (Elasticsearch Agent) Integration ver 1.26.0
Elasticsearch ver 8.11.1
Expecting threat.indicator.url.full (or whatever) to be populated from a MISP server URI attribute.
Request to the MISP server:
Response from the MISP server:
{"response": {"Attribute": [{"id":"474314","event_id":"2578","object_id":"0","object_relation":null,"category":"Network activity","type":"uri","to_ids":true,"uuid":"b3edd2ca-21de-44ff-ac58-40cb99cfdba1","timestamp":"1700488404","distribution":"5","sharing_group_id":"0","comment":"URI","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"http:\/\/druigvsegdaryadom.ir\/index.php","Event":{"org_id":"1","distribution":"3","id":"2578","info":"SmokeLoader \u0437 \u0442\u0435\u043c\u043e\u044e \u0440\u0430\u0445\u0443\u043d\u043a\u0456\u0432 (CERT-UA#8091)","orgc_id":"3","uuid":"9c56976c-cbdb-45e6-a185-dce19fab0b45"}}]}}From above the "value":"http://druigvsegdaryadom.ir/index.php" exists in the MISP server with "Attribute": [{"id":"474314","event_id":"2578",...]
Elasticsearch search shows the corresponding document without the "value":"http://druigvsegdaryadom.ir/index.php":
{ "_index": ".ds-logs-ti_misp.threat_attributes-default-2023.11.22-000101", "_id": "Jw4paqCpkn1n/GIk+IWShoU2mEs=", "_version": 1, "_score": 0, "_source": { "input": {"type": "httpjson"}, "agent": { "name": "SIEM-INTEGR-1", "id": "0b30804e-ee26-42a1-acb1-8f76af13f78c", "type": "filebeat", "ephemeral_id": "223600bf-3b71-4762-ba6c-fc3e18a872f7", "version": "8.11.0" }, "@timestamp": "2023-11-20T13:53:24.000Z", "ecs": {"version": "8.11.0"}, "data_stream": { "namespace": "default", "type": "logs", "dataset": "ti_misp.threat_attributes" }, "organization": {"id": "1"}, "elastic_agent": { "id": "0b30804e-ee26-42a1-acb1-8f76af13f78c", "version": "8.11.0", "snapshot": false }, "misp": { "attribute": { "distribution": 5, "type": "uri", "object_id": "0", "uuid": "b3edd2ca-21de-44ff-ac58-40cb99cfdba1", "to_ids": true, "disable_correlation": false, "deleted": false, "event_id": "2578", "sharing_group_id": "0", "comment": "URI", "id": "474314", "category": "Network activity" }, "event": { "id": "2578", "distribution": 3, "orgc_id": "3", "uuid": "9c56976c-cbdb-45e6-a185-dce19fab0b45", "info": "SmokeLoader" } }, "threat": { "indicator": { "provider": "misp", "type": "url" }, "feed": {"name": "MISP"} }, "event": { "agent_id_status": "verified", "ingested": "2023-11-22T02:04:02Z", "created": "2023-11-22T02:03:54.514Z", "kind": "enrichment", "category": [ "threat" ], "type": ["indicator"], "dataset": "ti_misp.threat_attributes" }, "tags": ["forwarded","misp-threat_attributes"] }, "fields": { "threat.indicator.type": ["url"], "misp.attribute.object_id": ["0"], "misp.attribute.to_ids": [true], "misp.attribute.distribution": [5], "elastic_agent.version": ["8.11.0"], "event.category": ["threat"], "misp.attribute.category": ["Network activity"], "threat.indicator.provider": ["misp"], "agent.type": ["filebeat"], "misp.event.info": ["SmokeLoader"], "event.module": ["ti_misp"], "misp.attribute.sharing_group_id": ["0"], "agent.name": ["SIEM-INTEGR-1"], "elastic_agent.snapshot": [false], "event.agent_id_status": ["verified"], "event.kind": ["enrichment"], "misp.attribute.deleted": [false], "threat.feed.name": ["MISP"], "elastic_agent.id": ["0b30804e-ee26-42a1-acb1-8f76af13f78c"], "data_stream.namespace": ["default"], "misp.attribute.disable_correlation": [false], "misp.event.orgc_id": ["3"], "misp.event.id": ["2578"], "input.type": ["httpjson"], "data_stream.type": ["logs"], "misp.event.uuid": ["9c56976c-cbdb-45e6-a185-dce19fab0b45"], "tags": ["forwarded","misp-threat_attributes"], "misp.attribute.id": ["474314"], "event.ingested": ["2023-11-22T02:04:02.000Z"], "misp.attribute.type": ["uri"], "@timestamp": ["2023-11-20T13:53:24.000Z"], "threat.feed.dashboard_id": ["ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294"], "agent.id": ["0b30804e-ee26-42a1-acb1-8f76af13f78c"], "ecs.version": ["8.11.0"], "misp.attribute.event_id": ["2578"], "misp.attribute.uuid": ["b3edd2ca-21de-44ff-ac58-40cb99cfdba1"], "misp.event.distribution": [ 3 ], "data_stream.dataset": [ "ti_misp.threat_attributes" ], "event.created": [ "2023-11-22T02:03:54.514Z" ], "event.type": [ "indicator" ], "misp.attribute.comment": ["URI"], "agent.ephemeral_id": ["223600bf-3b71-4762-ba6c-fc3e18a872f7"], "organization.id": ["1" ], "agent.version": ["8.11.0"], "event.dataset": ["ti_misp.threat_attributes"] } }