From a0fcab1c91526dc773597f73cf4d68f339239165 Mon Sep 17 00:00:00 2001 From: Ryland Herrick Date: Wed, 11 Aug 2021 14:01:58 -0500 Subject: [PATCH 1/9] First pass on updating filebeat threatintel logic for ECS 1.11 This only covers modules starting with an a; the rest will follow shortly. In general, these changes address the following goals: * preference for indicator.url.domain, and deprecation of indicator.domain * moving from event.reference to indicator.reference --- .../abusemalware/ingest/pipeline.yml | 2 +- .../threatintel/abuseurl/ingest/pipeline.yml | 8 ++------ .../threatintel/anomali/ingest/pipeline.yml | 4 ++-- .../anomalithreatstream/ingest/pipeline.yml | 18 ++++++++---------- 4 files changed, 13 insertions(+), 19 deletions(-) diff --git a/x-pack/filebeat/module/threatintel/abusemalware/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/abusemalware/ingest/pipeline.yml index 42ed997a44fa..deba4e333cda 100644 --- a/x-pack/filebeat/module/threatintel/abusemalware/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/abusemalware/ingest/pipeline.yml @@ -49,7 +49,7 @@ processors: ignore_missing: true - rename: field: threatintel.abusemalware.urlhaus_download - target_field: event.reference + target_field: indicator.reference ignore_missing: true - convert: field: threatintel.indicator.file.size diff --git a/x-pack/filebeat/module/threatintel/abuseurl/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/abuseurl/ingest/pipeline.yml index 75631742b17b..c5f835508956 100644 --- a/x-pack/filebeat/module/threatintel/abuseurl/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/abuseurl/ingest/pipeline.yml @@ -47,20 +47,16 @@ processors: field: threatintel.indicator.url.full value: '{{{threatintel.indicator.url.original}}}' ignore_empty_value: true -- rename: - field: threatintel.abuseurl.host - target_field: threatintel.indicator.domain - ignore_missing: true - rename: field: threatintel.abuseurl.urlhaus_reference - target_field: event.reference + target_field: indicator.reference ignore_missing: true # Host can be both IP addresses and domain names - grok: field: threatintel.abuseurl.host patterns: - - "(?:%{IP:threatintel.indicator.ip}|%{GREEDYDATA:threatintel.indicator.domain})" + - '(?:%{IP:threatintel.indicator.ip})' ignore_failure: true - rename: field: threatintel.abuseurl.reporter diff --git a/x-pack/filebeat/module/threatintel/anomali/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/anomali/ingest/pipeline.yml index cc98cd5032a3..678aafb25fef 100644 --- a/x-pack/filebeat/module/threatintel/anomali/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/anomali/ingest/pipeline.yml @@ -54,7 +54,7 @@ processors: if: "ctx?.threatintel?.anomali?.modified != null" - date: field: threatintel.anomali.valid_from - target_field: threatintel.anomali.valid_from + target_field: threatintel.indicator.first_seen formats: - "yyyy-MM-dd'T'HH:mm:ss.Sz" - "yyyy-MM-dd'T'HH:mm:ss.SZ" @@ -93,7 +93,7 @@ processors: if: ctx?.threatintel?.indicator?.type == 'email-addr' - rename: field: _tmp.threatvalue - target_field: threatintel.indicator.domain + target_field: threatintel.indicator.url.domain ignore_missing: true if: ctx?.threatintel?.indicator?.type == 'domain-name' - set: diff --git a/x-pack/filebeat/module/threatintel/anomalithreatstream/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/anomalithreatstream/ingest/pipeline.yml index be753edb153d..b8b1d2def1cf 100644 --- a/x-pack/filebeat/module/threatintel/anomalithreatstream/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/anomalithreatstream/ingest/pipeline.yml @@ -189,11 +189,11 @@ processors: # public => White ("Disclosure is not limited.") # private => Amber ("Limited disclosure, restricted to participants’ organizations."). # -- set: +- append: field: threatintel.indicator.marking.tlp value: Amber if: 'ctx.json.classification == "private"' -- set: +- append: field: threatintel.indicator.marking.tlp value: White if: 'ctx.json.classification == "public"' @@ -237,11 +237,6 @@ processors: target_field: threatintel.indicator.as.organization.name ignore_missing: true -- rename: - field: json.domain - target_field: threatintel.indicator.domain - ignore_missing: true - - rename: field: json.email target_field: threatintel.indicator.email.address @@ -262,12 +257,15 @@ processors: - append: field: error.message value: 'Cannot parse url field `{{{ json.url }}}`: {{{ _ingest.on_failure_message }}}' - - set: field: threatintel.indicator.url.full value: '{{{threatintel.indicator.url.original}}}' ignore_empty_value: true - +- rename: + field: json.domain + target_field: threatintel.indicator.url.domain + ignore_missing: true + if: ctx.threatintel?.indicator?.url?.domain == null - rename: field: json.country target_field: threatintel.indicator.geo.country_iso_code @@ -299,7 +297,7 @@ processors: - rename: field: json.source - target_field: threatintel.indicator.provider + target_field: threatintel.indicator.provider ignore_missing: true # From a65bb5999ccf8b3c91935e801d7cd6ce4fd0a9b5 Mon Sep 17 00:00:00 2001 From: Ryland Herrick Date: Wed, 11 Aug 2021 14:11:17 -0500 Subject: [PATCH 2/9] Move remaining modules from indicator.domain -> indicator.url.domain Along with conditional checks to ensure we're not overwriting the relevant uri_parts data from earlier in the pipeline. --- .../filebeat/module/threatintel/misp/ingest/pipeline.yml | 8 ++++---- .../filebeat/module/threatintel/otx/ingest/pipeline.yml | 4 ++-- .../module/threatintel/recordedfuture/ingest/pipeline.yml | 4 ++-- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/x-pack/filebeat/module/threatintel/misp/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/misp/ingest/pipeline.yml index a251bf048336..1d051cecacf8 100644 --- a/x-pack/filebeat/module/threatintel/misp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/misp/ingest/pipeline.yml @@ -183,9 +183,9 @@ processors: if: "ctx?.threatintel?.misp?.attribute?.type != null && ['ip-src', 'ip-src|port', 'ip-dst', 'ip-dst|port'].contains(ctx?.threatintel?.misp?.attribute?.type)" - rename: field: threatintel.misp.attribute.value - target_field: threatintel.indicator.domain + target_field: threatintel.indicator.url.domain ignore_missing: true - if: "ctx?.threatintel?.indicator?.type == 'domain-name' && ctx?.threatintel?.misp?.attribute?.type != 'domain|ip'" + if: "ctx?.threatintel?.indicator?.type == 'domain-name' && ctx?.threatintel?.misp?.attribute?.type != 'domain|ip' && ctx.threatintel?.indicator?.url?.domain == null" - rename: field: threatintel.misp.attribute.value target_field: threatintel.indicator.ip @@ -194,9 +194,9 @@ processors: - grok: field: threatintel.misp.attribute.value patterns: - - "%{DATA:threatintel.indicator.domain}\\|%{IP:threatintel.indicator.ip}" + - "%{DATA:threatintel.indicator.url.domain}\\|%{IP:threatintel.indicator.ip}" ignore_missing: true - if: ctx.threatintel?.misp?.attribute?.type == 'domain|ip' + if: ctx.threatintel?.misp?.attribute?.type == 'domain|ip' && ctx.threatintel?.indicator?.url?.domain == null - grok: field: threatintel.misp.attribute.value patterns: diff --git a/x-pack/filebeat/module/threatintel/otx/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/otx/ingest/pipeline.yml index ddc32e885372..b00de82d1a5a 100644 --- a/x-pack/filebeat/module/threatintel/otx/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/otx/ingest/pipeline.yml @@ -109,9 +109,9 @@ processors: if: "ctx?.threatintel?.indicator?.type == null && ['domain', 'hostname'].contains(ctx.threatintel?.otx?.type)" - rename: field: threatintel.otx.indicator - target_field: threatintel.indicator.domain + target_field: threatintel.indicator.url.domain ignore_missing: true - if: "ctx?.threatintel?.indicator?.type == 'domain-name'" + if: "ctx?.threatintel?.indicator?.type == 'domain-name' && ctx.threatintel?.indicator?.url?.domain == null" ###################### # Cleanup processors # diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/recordedfuture/ingest/pipeline.yml index 71a261a12af7..8d4a5240171d 100644 --- a/x-pack/filebeat/module/threatintel/recordedfuture/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/recordedfuture/ingest/pipeline.yml @@ -144,9 +144,9 @@ processors: - rename: field: json.entity.name - target_field: threatintel.indicator.domain + target_field: threatintel.indicator.url.domain ignore_missing: true - if: 'ctx.threatintel?.indicator?.type == "domain-name"' + if: 'ctx.threatintel?.indicator?.type == "domain-name" && ctx.threatintel?.indicator?.url?.domain == null' - uri_parts: field: json.entity.name From 9c44a14b49eca882e3ae1bd817bbe184ea57a96a Mon Sep 17 00:00:00 2001 From: Ryland Herrick Date: Wed, 11 Aug 2021 14:15:45 -0500 Subject: [PATCH 3/9] Update indicator.reference in relevant modules --- x-pack/filebeat/module/threatintel/abuseurl/ingest/pipeline.yml | 2 +- .../module/threatintel/recordedfuture/ingest/pipeline.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/x-pack/filebeat/module/threatintel/abuseurl/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/abuseurl/ingest/pipeline.yml index c5f835508956..dfb691053d91 100644 --- a/x-pack/filebeat/module/threatintel/abuseurl/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/abuseurl/ingest/pipeline.yml @@ -49,7 +49,7 @@ processors: ignore_empty_value: true - rename: field: threatintel.abuseurl.urlhaus_reference - target_field: indicator.reference + target_field: threatintel.indicator.reference ignore_missing: true # Host can be both IP addresses and domain names diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/recordedfuture/ingest/pipeline.yml index 8d4a5240171d..318f74d53a63 100644 --- a/x-pack/filebeat/module/threatintel/recordedfuture/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/recordedfuture/ingest/pipeline.yml @@ -116,7 +116,7 @@ processors: ignore_missing: true - set: - field: event.reference + field: threatintel.indicator.reference value: '{{{ json.intelCard }}}' ignore_empty_value: true From 2b82431892f1a59d5b041ed7e747a0707b6c7890 Mon Sep 17 00:00:00 2001 From: Ryland Herrick Date: Wed, 11 Aug 2021 14:32:49 -0500 Subject: [PATCH 4/9] Fix missing prefix in target field --- .../module/threatintel/abusemalware/ingest/pipeline.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/filebeat/module/threatintel/abusemalware/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/abusemalware/ingest/pipeline.yml index deba4e333cda..64575f9459d8 100644 --- a/x-pack/filebeat/module/threatintel/abusemalware/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/abusemalware/ingest/pipeline.yml @@ -49,7 +49,7 @@ processors: ignore_missing: true - rename: field: threatintel.abusemalware.urlhaus_download - target_field: indicator.reference + target_field: threatintel.indicator.reference ignore_missing: true - convert: field: threatintel.indicator.file.size From d36ae86d1e8d3a7dcb86f06290fe04536e97a7a8 Mon Sep 17 00:00:00 2001 From: Marius Iversen Date: Thu, 2 Sep 2021 16:41:09 +0200 Subject: [PATCH 5/9] linting and apply new testfiles --- .../module/threatintel/_meta/docs.asciidoc | 2 +- .../module/threatintel/_meta/fields.yml | 500 +++++++++--------- .../abusemalware/ingest/pipeline.yml | 264 ++++----- .../abusechmalware.ndjson.log-expected.json | 27 +- .../threatintel/abuseurl/ingest/pipeline.yml | 194 +++---- .../test/abusechurl.ndjson.log-expected.json | 353 ++++++------- .../anomali_limo.ndjson.log-expected.json | 114 +++- .../test/generated.log-expected.json | 416 +++++++++++---- x-pack/filebeat/module/threatintel/fields.go | 2 +- .../test/misp_sample.ndjson.log-expected.json | 6 +- .../test/otx_sample.ndjson.log-expected.json | 36 +- .../test/domain.ndjson.log-expected.json | 40 +- .../test/hash.ndjson.log-expected.json | 20 +- .../test/ip.ndjson.log-expected.json | 20 +- .../test/url.ndjson.log-expected.json | 20 +- 15 files changed, 1126 insertions(+), 888 deletions(-) diff --git a/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc b/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc index fa770e0eb6eb..3b3a0882044d 100644 --- a/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc @@ -63,7 +63,7 @@ Abuse.ch URL Threat Intel is mapped to the following ECS fields. [options="header"] |============================================================== | URL Threat Intel Fields | ECS Fields -| url | threat.indicator.url.full +| url | threatintel.indicator.url.full | date_added | @timestamp | host | threatintel.indicator.ip/domain |============================================================== diff --git a/x-pack/filebeat/module/threatintel/_meta/fields.yml b/x-pack/filebeat/module/threatintel/_meta/fields.yml index fb4ef48b0622..83fa64029133 100644 --- a/x-pack/filebeat/module/threatintel/_meta/fields.yml +++ b/x-pack/filebeat/module/threatintel/_meta/fields.yml @@ -73,11 +73,15 @@ type: keyword description: > Identifies the name of specific dataset from the intelligence source. + - name: indicator.reference + type: keyword + description: > + Reference URL linking to additional information about this indicator. - name: indicator.ip type: ip description: > Identifies a threat indicator as an IP address (irrespective of direction). - - name: indicator.domain + - name: indicator.url.domain type: keyword description: > Identifies a threat indicator as a domain (irrespective of direction). @@ -101,285 +105,291 @@ - name: indicator.matched type: group fields: - - name: atomic - type: keyword - description: > - Identifies the atomic indicator that matched a local environment endpoint or network event. - - name: field - type: keyword - description: > - Identifies the field of the atomic indicator that matched a local environment endpoint or network event. - - name: type - type: keyword - description: > - Identifies the type of the atomic indicator that matched a local environment endpoint or network event. + - name: atomic + type: keyword + description: > + Identifies the atomic indicator that matched a local environment endpoint or network event. + - name: field + type: keyword + description: > + Identifies the field of the atomic indicator that matched a local environment endpoint or network event. + - name: type + type: keyword + description: > + Identifies the type of the atomic indicator that matched a local environment endpoint or network event. - name: indicator.as type: group fields: - - name: number - type: long - description: Unique number allocated to the autonomous system. The autonomous system number (ASN) - uniquely identifies each network on the Internet. - example: 15169 - - name: organization.name - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Organization name. - example: Google LLC + - name: number + type: long + description: + Unique number allocated to the autonomous system. The autonomous system number (ASN) + uniquely identifies each network on the Internet. + example: 15169 + - name: organization.name + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: Organization name. + example: Google LLC - name: indicator.registry type: group fields: - - name: data.strings - type: keyword - ignore_above: 1024 - description: > - Content when writing string types. - Populated as an array when writing string data to the registry. For single - string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with - one string. For sequences of string with REG_MULTI_SZ, this array will be - variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should - be populated with the decimal representation (e.g `"1"`). - example: '["C:\rta\red_ttp\bin\myapp.exe"]' - - name: path - type: keyword - ignore_above: 1024 - description: Full path, including hive, key and value - example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution - Options\winword.exe\Debugger - - name: value - type: keyword - ignore_above: 1024 - description: Name of the value written. - example: Debugger - - name: key - type: keyword - ignore_above: 1024 - description: Registry key value + - name: data.strings + type: keyword + ignore_above: 1024 + description: > + Content when writing string types. + Populated as an array when writing string data to the registry. For single + string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with + one string. For sequences of string with REG_MULTI_SZ, this array will be + variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should + be populated with the decimal representation (e.g `"1"`). + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + - name: path + type: keyword + ignore_above: 1024 + description: Full path, including hive, key and value + example: + HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + - name: value + type: keyword + ignore_above: 1024 + description: Name of the value written. + example: Debugger + - name: key + type: keyword + ignore_above: 1024 + description: Registry key value - name: indicator.geo type: group fields: - - name: city_name - type: keyword - ignore_above: 1024 - description: City name. - example: Montreal - - name: continent_name - type: keyword - ignore_above: 1024 - description: Name of the continent. - example: North America - - name: country_iso_code - type: keyword - ignore_above: 1024 - description: Country ISO code. - example: CA - - name: country_name - type: keyword - ignore_above: 1024 - description: Country name. - example: Canada - - name: location - type: geo_point - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - - name: region_iso_code - type: keyword - ignore_above: 1024 - description: Region ISO code. - example: CA-QC - - name: region_name - type: keyword - ignore_above: 1024 - description: Region name. - example: Quebec + - name: city_name + type: keyword + ignore_above: 1024 + description: City name. + example: Montreal + - name: continent_name + type: keyword + ignore_above: 1024 + description: Name of the continent. + example: North America + - name: country_iso_code + type: keyword + ignore_above: 1024 + description: Country ISO code. + example: CA + - name: country_name + type: keyword + ignore_above: 1024 + description: Country name. + example: Canada + - name: location + type: geo_point + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + - name: region_iso_code + type: keyword + ignore_above: 1024 + description: Region ISO code. + example: CA-QC + - name: region_name + type: keyword + ignore_above: 1024 + description: Region name. + example: Quebec - name: indicator.file.pe.imphash type: keyword ignore_above: 1024 - description: 'A hash of the imports in a PE file. An imphash -- or import hash + description: + "A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html." example: 0c6803c4e922103c4dca5963aad36ddf - name: indicator.file type: group fields: - - name: hash - type: group - fields: - - name: tlsh + - name: hash + type: group + fields: + - name: tlsh + type: keyword + description: > + The file's import tlsh, if available. + - name: ssdeep + type: keyword + description: > + The file's ssdeep hash, if available. + - name: md5 + type: keyword + description: > + The file's md5 hash, if available. + - name: sha1 + type: keyword + description: > + The file's sha1 hash, if available. + - name: sha256 + type: keyword + description: > + The file's sha256 hash, if available. + - name: sha384 + type: keyword + description: > + The file's sha384 hash, if available. + - name: sha512 + type: keyword + description: > + The file's sha512 hash, if available. + - name: type type: keyword + ignore_above: 1024 description: > - The file's import tlsh, if available. - - name: ssdeep + The file type. + - name: size + type: long + description: > + The file's total size. + - name: name type: keyword description: > - The file's ssdeep hash, if available. - - name: md5 + The file's name. + - name: extension type: keyword description: > - The file's md5 hash, if available. - - name: sha1 + The file's extension. + - name: mime_type type: keyword description: > - The file's sha1 hash, if available. - - name: sha256 + The file's MIME type. + - name: indicator.url + type: group + fields: + - name: domain type: keyword description: > - The file's sha256 hash, if available. - - name: sha384 + Domain of the url, such as "www.elastic.co". + - name: extension type: keyword + ignore_above: 1024 description: > - The file's sha384 hash, if available. - - name: sha512 + The field contains the file extension from the original request + - name: fragment type: keyword + ignore_above: 1024 description: > - The file's sha512 hash, if available. - - name: type - type: keyword - ignore_above: 1024 - description: > - The file type. - - name: size - type: long - description: > - The file's total size. - - name: name - type: keyword - description: > - The file's name. - - name: extension - type: keyword - description: > - The file's extension. - - name: mime_type - type: keyword - description: > - The file's MIME type. - - name: indicator.url - type: group - fields: - - name: domain - type: keyword - description: > - Domain of the url, such as "www.elastic.co". - - name: extension - type: keyword - ignore_above: 1024 - description: > - The field contains the file extension from the original request - - name: fragment - type: keyword - ignore_above: 1024 - description: > - Portion of the url after the `#`, such as "top". - - name: full - type: keyword - description: > - If full URLs are important to your use case, they should be stored - in `url.full`, whether this field is reconstructed or present in the event - source. - - name: original - type: keyword - description: > - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas - in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - - name: password - type: keyword - ignore_above: 1024 - description: > - Password of the request. - - name: path - type: keyword - description: > - Path of the request, such as "/search". - - name: port - type: long - format: string - description: > - Port of the request, such as 443. - - name: query - type: keyword - ignore_above: 1024 - description: > - The query field describes the query string of the request, such - as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there - is no query field. If there is a `?` but no query, the query field exists - with an empty string. The `exists` query can be used to differentiate between - the two cases. - - name: registered_domain - type: keyword - description: > - The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix - list (http://publicsuffix.org). Trying to approximate this by simply taking - the last two labels will not work well for TLDs such as "co.uk". - - name: scheme - type: keyword - ignore_above: 1024 - description: > - Scheme of the request, such as "https". - - name: subdomain - type: keyword - ignore_above: 1024 - description: > - The subdomain portion of a fully qualified domain name includes - all of the names except the host name under the registered_domain. In a partially - qualified domain, or if the the qualification level of the full name cannot - be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", - the subdomain field should contain "sub2.sub1", with no trailing period. - - name: top_level_domain - type: keyword - ignore_above: 1024 - description: > - The effective top level domain (eTLD), also known as the domain - suffix, is the last part of the domain name. For example, the top level domain - for example.com is "com". - This value can be determined precisely with a list like the public suffix - list (http://publicsuffix.org). Trying to approximate this by simply taking - the last label will not work well for effective TLDs such as "co.uk". - - name: username - type: keyword - ignore_above: 1024 - description: > - Username of the request. + Portion of the url after the `#`, such as "top". + - name: full + type: keyword + description: > + If full URLs are important to your use case, they should be stored + in `url.full`, whether this field is reconstructed or present in the event + source. + - name: original + type: keyword + description: > + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas + in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + - name: password + type: keyword + ignore_above: 1024 + description: > + Password of the request. + - name: path + type: keyword + description: > + Path of the request, such as "/search". + - name: port + type: long + format: string + description: > + Port of the request, such as 443. + - name: query + type: keyword + ignore_above: 1024 + description: > + The query field describes the query string of the request, such + as "q=elasticsearch". + The `?` is excluded from the query string. If a URL contains no `?`, there + is no query field. If there is a `?` but no query, the query field exists + with an empty string. The `exists` query can be used to differentiate between + the two cases. + - name: registered_domain + type: keyword + description: > + The highest registered url domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk". + - name: scheme + type: keyword + ignore_above: 1024 + description: > + Scheme of the request, such as "https". + - name: subdomain + type: keyword + ignore_above: 1024 + description: > + The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period. + - name: top_level_domain + type: keyword + ignore_above: 1024 + description: > + The effective top level domain (eTLD), also known as the domain + suffix, is the last part of the domain name. For example, the top level domain + for example.com is "com". + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last label will not work well for effective TLDs such as "co.uk". + - name: username + type: keyword + ignore_above: 1024 + description: > + Username of the request. - name: indicator.x509 type: group fields: - - name: serial_number - type: keyword - ignore_above: 1024 - description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. - example: 55FBB9C7DEBF09809D12CCAA - - name: issuer - type: keyword - ignore_above: 1024 - description: Name of issuing certificate authority. Could be either Distinguished Name (DN) or Common Name (CN), depending on source. - example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance - Server CA - - name: subject - type: keyword - ignore_above: 1024 - description: Name of the certificate subject entity. Could be either Distinguished Name (DN) or Common Name (CN), depending on source. - example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net - - name: alternative_names - type: keyword - ignore_above: 1024 - description: List of subject alternative names (SAN). Name types vary by certificate - authority and certificate type but commonly contain IP addresses, DNS names - (and wildcards), and email addresses. - example: '*.elastic.co' + - name: serial_number + type: keyword + ignore_above: 1024 + description: + Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + - name: issuer + type: keyword + ignore_above: 1024 + description: Name of issuing certificate authority. Could be either Distinguished Name (DN) or Common Name (CN), depending on source. + example: + C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance + Server CA + - name: subject + type: keyword + ignore_above: 1024 + description: Name of the certificate subject entity. Could be either Distinguished Name (DN) or Common Name (CN), depending on source. + example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + - name: alternative_names + type: keyword + ignore_above: 1024 + description: + List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: "*.elastic.co" - name: indicator.signature type: keyword description: > diff --git a/x-pack/filebeat/module/threatintel/abusemalware/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/abusemalware/ingest/pipeline.yml index 64575f9459d8..25d2ca6358de 100644 --- a/x-pack/filebeat/module/threatintel/abusemalware/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/abusemalware/ingest/pipeline.yml @@ -1,138 +1,138 @@ description: Pipeline for parsing Abuse.ch Malware Threat Intel processors: + #################### + # Event ECS fields # + #################### + - set: + field: event.ingested + value: "{{_ingest.timestamp}}" + - set: + field: event.kind + value: enrichment + - set: + field: event.category + value: threat + - set: + field: event.type + value: indicator -#################### -# Event ECS fields # -#################### -- set: - field: event.ingested - value: '{{_ingest.timestamp}}' -- set: - field: event.kind - value: enrichment -- set: - field: event.category - value: threat -- set: - field: event.type - value: indicator + ###################### + # General ECS fields # + ###################### + - rename: + field: json + target_field: threatintel.abusemalware + ignore_missing: true -###################### -# General ECS fields # -###################### -- rename: - field: json - target_field: threatintel.abusemalware - ignore_missing: true + ##################### + # Threat ECS Fields # + ##################### + - date: + field: threatintel.abusemalware.firstseen + target_field: threatintel.indicator.first_seen + formats: + - "yyyy-MM-dd HH:mm:ss z" + - "yyyy-MM-dd HH:mm:ss Z" + - "yyyy-MM-dd HH:mm:ss" + if: "ctx?.threatintel?.abusemalware.firstseen != null" + - set: + field: threatintel.indicator.type + value: file + - rename: + field: threatintel.abusemalware.file_size + target_field: threatintel.indicator.file.size + ignore_missing: true + - rename: + field: threatintel.abusemalware.file_type + target_field: threatintel.indicator.file.type + ignore_missing: true + # This includes a direct link to malicious files, we do not want them to appear in Kibana + # in case they are accidently clicked. + - remove: + field: threatintel.abusemalware.urlhaus_download + ignore_missing: true + - convert: + field: threatintel.indicator.file.size + type: long + ignore_missing: true + - rename: + field: threatintel.abusemalware.md5_hash + target_field: threatintel.indicator.file.hash.md5 + ignore_missing: true + - rename: + field: threatintel.abusemalware.sha256_hash + target_field: threatintel.indicator.file.hash.sha256 + ignore_missing: true + - rename: + field: threatintel.abusemalware.imphash + target_field: threatintel.indicator.file.pe.imphash + ignore_missing: true + - rename: + field: threatintel.abusemalware.ssdeep + target_field: threatintel.indicator.file.hash.ssdeep + ignore_missing: true + - rename: + field: threatintel.abusemalware.tlsh + target_field: threatintel.indicator.file.hash.tlsh + ignore_missing: true + - append: + field: related.hash + value: "{{ threatintel.indicator.file.hash.md5 }}" + if: ctx?.threatintel?.indicator?.file?.hash?.md5 != null + - append: + field: related.hash + value: "{{ threatintel.indicator.file.hash.sha256 }}" + if: ctx?.threatintel?.indicator?.file?.hash?.sha256 != null + - append: + field: related.hash + value: "{{ threatintel.indicator.file.hash.ssdeep }}" + if: ctx?.threatintel?.indicator?.file?.hash?.ssdeep != null + - append: + field: related.hash + value: "{{ threatintel.indicator.file.pe.imphash }}" + if: ctx?.threatintel?.indicator?.file?.pe?.imphash != null + - append: + field: related.hash + value: "{{ threatintel.indicator.file.hash.tlsh }}" + if: ctx?.threatintel?.indicator?.file?.hash?.tlsh != null -##################### -# Threat ECS Fields # -##################### -- date: - field: threatintel.abusemalware.firstseen - target_field: threatintel.indicator.first_seen - formats: - - "yyyy-MM-dd HH:mm:ss z" - - "yyyy-MM-dd HH:mm:ss Z" - - "yyyy-MM-dd HH:mm:ss" - if: "ctx?.threatintel?.abusemalware.firstseen != null" -- set: - field: threatintel.indicator.type - value: file -- rename: - field: threatintel.abusemalware.file_size - target_field: threatintel.indicator.file.size - ignore_missing: true -- rename: - field: threatintel.abusemalware.file_type - target_field: threatintel.indicator.file.type - ignore_missing: true -- rename: - field: threatintel.abusemalware.urlhaus_download - target_field: threatintel.indicator.reference - ignore_missing: true -- convert: - field: threatintel.indicator.file.size - type: long - ignore_missing: true -- rename: - field: threatintel.abusemalware.md5_hash - target_field: threatintel.indicator.file.hash.md5 - ignore_missing: true -- rename: - field: threatintel.abusemalware.sha256_hash - target_field: threatintel.indicator.file.hash.sha256 - ignore_missing: true -- rename: - field: threatintel.abusemalware.imphash - target_field: threatintel.indicator.file.pe.imphash - ignore_missing: true -- rename: - field: threatintel.abusemalware.ssdeep - target_field: threatintel.indicator.file.hash.ssdeep - ignore_missing: true -- rename: - field: threatintel.abusemalware.tlsh - target_field: threatintel.indicator.file.hash.tlsh - ignore_missing: true -- append: - field: related.hash - value: '{{ threatintel.indicator.file.hash.md5 }}' - if: ctx?.threatintel?.indicator?.file?.hash?.md5 != null -- append: - field: related.hash - value: '{{ threatintel.indicator.file.hash.sha256 }}' - if: ctx?.threatintel?.indicator?.file?.hash?.sha256 != null -- append: - field: related.hash - value: '{{ threatintel.indicator.file.hash.ssdeep }}' - if: ctx?.threatintel?.indicator?.file?.hash?.ssdeep != null -- append: - field: related.hash - value: '{{ threatintel.indicator.file.pe.imphash }}' - if: ctx?.threatintel?.indicator?.file?.pe?.imphash != null -- append: - field: related.hash - value: '{{ threatintel.indicator.file.hash.tlsh }}' - if: ctx?.threatintel?.indicator?.file?.hash?.tlsh != null - -###################### -# Cleanup processors # -###################### -- set: - field: threatintel.indicator.type - value: unknown - if: ctx?.threatintel?.indicator?.type == null -- script: - lang: painless - if: ctx?.threatintel != null - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - } - handleMap(ctx); -- remove: - field: - - threatintel.abusemalware.firstseen - - message - ignore_missing: true + ###################### + # Cleanup processors # + ###################### + - set: + field: threatintel.indicator.type + value: unknown + if: ctx?.threatintel?.indicator?.type == null + - script: + lang: painless + if: ctx?.threatintel != null + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + } + handleMap(ctx); + - remove: + field: + - threatintel.abusemalware.firstseen + - message + ignore_missing: true on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/threatintel/abusemalware/test/abusechmalware.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/abusemalware/test/abusechmalware.ndjson.log-expected.json index 9cdb0062d24b..6c31b6f779c2 100644 --- a/x-pack/filebeat/module/threatintel/abusemalware/test/abusechmalware.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/abusemalware/test/abusechmalware.ndjson.log-expected.json @@ -4,7 +4,6 @@ "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus-api.abuse.ch/v1/download/48a6aee18bcfe9058b35b1018832aef1c9efd8f50ac822f49abb484a5e2a4b1f/", "event.type": "indicator", "fileset.name": "abusemalware", "input.type": "log", @@ -36,7 +35,6 @@ "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus-api.abuse.ch/v1/download/ec59538e8de8525b1674b3b8fe0c180ac822145350bcce054ad3fc6b95b1b5a4/", "event.type": "indicator", "fileset.name": "abusemalware", "input.type": "log", @@ -68,7 +66,6 @@ "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus-api.abuse.ch/v1/download/b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7/", "event.type": "indicator", "fileset.name": "abusemalware", "input.type": "log", @@ -103,7 +100,6 @@ "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus-api.abuse.ch/v1/download/7483e834a73fb6817769596fe4c0fa01d28639f52bbbdc2b8a56c36d466dd7f8/", "event.type": "indicator", "fileset.name": "abusemalware", "input.type": "log", @@ -135,7 +131,6 @@ "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus-api.abuse.ch/v1/download/760e729426fb115b967a41e5a6f2f42d7a52a5cee74ed99065a6dc39bf89f59b/", "event.type": "indicator", "fileset.name": "abusemalware", "input.type": "log", @@ -165,7 +160,6 @@ "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus-api.abuse.ch/v1/download/86655c0bcf9b21b5efc682f58eb80f42811042ba152358e1bfbbb867315a60ac/", "event.type": "indicator", "fileset.name": "abusemalware", "input.type": "log", @@ -200,7 +194,6 @@ "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus-api.abuse.ch/v1/download/e91c9e11d3ce4f55fabd7196279367482d2fabfa32df81e614b15fc53b4e26be/", "event.type": "indicator", "fileset.name": "abusemalware", "input.type": "log", @@ -232,7 +225,6 @@ "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus-api.abuse.ch/v1/download/beedbbcacfc34b5edd8c68e3e4acf364992ebbcd989548e09e38fa03c5659bac/", "event.type": "indicator", "fileset.name": "abusemalware", "input.type": "log", @@ -264,7 +256,6 @@ "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus-api.abuse.ch/v1/download/7cba55da723c0e020267a02e6ffc83e03a83701757fc4ec65ea398618ad881cf/", "event.type": "indicator", "fileset.name": "abusemalware", "input.type": "log", @@ -297,7 +288,6 @@ "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus-api.abuse.ch/v1/download/426be5e085e6bbad8430223dc89d8d3ced497133f8d478fd00005bcbb73399d4/", "event.type": "indicator", "fileset.name": "abusemalware", "input.type": "log", @@ -329,7 +319,6 @@ "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus-api.abuse.ch/v1/download/25093afdaeb3ea000743ab843360a6b64f58c0a1ab950072ba6528056735deb9/", "event.type": "indicator", "fileset.name": "abusemalware", "input.type": "log", @@ -361,7 +350,6 @@ "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus-api.abuse.ch/v1/download/b3327a96280365e441057f490df6261c9a2400fd63719eb9a7a0c9db95beecc5/", "event.type": "indicator", "fileset.name": "abusemalware", "input.type": "log", @@ -393,7 +381,6 @@ "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus-api.abuse.ch/v1/download/e92b54904391c171238863b584355197ba4508f73320a8e89afbb5425fc2dc4b/", "event.type": "indicator", "fileset.name": "abusemalware", "input.type": "log", @@ -425,7 +412,6 @@ "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus-api.abuse.ch/v1/download/dd15e74b3cd3a4fdb5f47adefd6f90e27d5a20e01316cc791711f6dce7c0f52e/", "event.type": "indicator", "fileset.name": "abusemalware", "input.type": "log", @@ -457,7 +443,6 @@ "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus-api.abuse.ch/v1/download/0fae1eeabc4f5e07bd16f7851aec5ab6032d407c7ff0270f2b6e85c2a3efebd1/", "event.type": "indicator", "fileset.name": "abusemalware", "input.type": "log", @@ -490,7 +475,6 @@ "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus-api.abuse.ch/v1/download/07a9d84c0b2c8cf1fd90ab409b9399d06920ab4b6efb647b5a3b9bef1045ee7e/", "event.type": "indicator", "fileset.name": "abusemalware", "input.type": "log", @@ -522,7 +506,6 @@ "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus-api.abuse.ch/v1/download/708c0193aec6354af6877f314d4b0e3864552bac77258bee9ee5bf886a116df5/", "event.type": "indicator", "fileset.name": "abusemalware", "input.type": "log", @@ -554,7 +537,6 @@ "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus-api.abuse.ch/v1/download/f70a3c016fe791eb30959961f0bcaa08ba7b738491b9ae61cb4a667cd1de8b37/", "event.type": "indicator", "fileset.name": "abusemalware", "input.type": "log", @@ -587,7 +569,6 @@ "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus-api.abuse.ch/v1/download/94ca186561b13fa9b1bf15f7e66118debc686b40d2a62a5cf4b3c6ca6ee1c7a1/", "event.type": "indicator", "fileset.name": "abusemalware", "input.type": "log", @@ -619,7 +600,6 @@ "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus-api.abuse.ch/v1/download/909f890dbc5748845cf06d0fb0b73a5c0cb17761f37e9cd4810eea0d0eb8627f/", "event.type": "indicator", "fileset.name": "abusemalware", "input.type": "log", @@ -651,7 +631,6 @@ "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus-api.abuse.ch/v1/download/d1fa76346bef5bc8adaa615e109894a7c30f0bef07ab6272409c4056ea8d52aa/", "event.type": "indicator", "fileset.name": "abusemalware", "input.type": "log", @@ -684,7 +663,6 @@ "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus-api.abuse.ch/v1/download/3b9698b6c18bcba15ee33378440dd3f42509730e6b1d2d5832c71a74b1920e51/", "event.type": "indicator", "fileset.name": "abusemalware", "input.type": "log", @@ -716,7 +694,6 @@ "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus-api.abuse.ch/v1/download/d11edc90f0e879a175abc6e2ce5c94a263aa2a01cd3b6e8b9fdf93a51235ae99/", "event.type": "indicator", "fileset.name": "abusemalware", "input.type": "log", @@ -748,7 +725,6 @@ "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus-api.abuse.ch/v1/download/8cd28fed7ebdcd79ea2509dca84f0a727ca28d4eaaed5a92cd10b1279ff16afa/", "event.type": "indicator", "fileset.name": "abusemalware", "input.type": "log", @@ -780,7 +756,6 @@ "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus-api.abuse.ch/v1/download/fb25d13188a5d0913bbcf5aeff6c7e3208ad92a7d10ab6bed2735f4d43310a27/", "event.type": "indicator", "fileset.name": "abusemalware", "input.type": "log", @@ -807,4 +782,4 @@ "threatintel.indicator.first_seen": "2021-01-14T06:04:20.000Z", "threatintel.indicator.type": "file" } -] +] \ No newline at end of file diff --git a/x-pack/filebeat/module/threatintel/abuseurl/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/abuseurl/ingest/pipeline.yml index dfb691053d91..bf674ba2c88e 100644 --- a/x-pack/filebeat/module/threatintel/abuseurl/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/abuseurl/ingest/pipeline.yml @@ -1,110 +1,110 @@ description: Pipeline for parsing Abuse.ch URL Threat Intel processors: + #################### + # Event ECS fields # + #################### + - set: + field: event.ingested + value: "{{_ingest.timestamp}}" + - set: + field: event.kind + value: enrichment + - set: + field: event.category + value: threat + - set: + field: event.type + value: indicator -#################### -# Event ECS fields # -#################### -- set: - field: event.ingested - value: '{{_ingest.timestamp}}' -- set: - field: event.kind - value: enrichment -- set: - field: event.category - value: threat -- set: - field: event.type - value: indicator + ###################### + # General ECS fields # + ###################### + - rename: + field: json + target_field: threatintel.abuseurl + ignore_missing: true -###################### -# General ECS fields # -###################### -- rename: - field: json - target_field: threatintel.abuseurl - ignore_missing: true + ##################### + # Threat ECS Fields # + ##################### + - set: + field: threatintel.indicator.type + value: url + - date: + field: threatintel.abuseurl.date_added + target_field: threatintel.indicator.first_seen + formats: + - "yyyy-MM-dd HH:mm:ss z" + - "yyyy-MM-dd HH:mm:ss Z" + if: "ctx?.threatintel?.abuseurl?.date_added != null" + - uri_parts: + field: threatintel.abuseurl.url + target_field: threatintel.indicator.url + keep_original: true + remove_if_successful: true + - set: + field: threatintel.indicator.url.full + value: "{{{threatintel.indicator.url.original}}}" + ignore_empty_value: true + - rename: + field: threatintel.abuseurl.urlhaus_reference + target_field: threatintel.indicator.reference + ignore_missing: true -##################### -# Threat ECS Fields # -##################### -- set: - field: threatintel.indicator.type - value: url -- date: - field: threatintel.abuseurl.date_added - target_field: threatintel.indicator.first_seen - formats: - - "yyyy-MM-dd HH:mm:ss z" - - "yyyy-MM-dd HH:mm:ss Z" - if: "ctx?.threatintel?.abuseurl?.date_added != null" -- uri_parts: - field: threatintel.abuseurl.url - target_field: threatintel.indicator.url - keep_original: true - remove_if_successful: true -- set: - field: threatintel.indicator.url.full - value: '{{{threatintel.indicator.url.original}}}' - ignore_empty_value: true -- rename: - field: threatintel.abuseurl.urlhaus_reference - target_field: threatintel.indicator.reference - ignore_missing: true + # Host can be both IP addresses and domain names + - grok: + field: threatintel.abuseurl.host + patterns: + - "(?:%{IP:threatintel.indicator.ip}|%{GREEDYDATA:threatintel.indicator.url.domain})" + ignore_failure: true + - rename: + field: threatintel.abuseurl.reporter + target_field: threatintel.indicator.provider + ignore_missing: true -# Host can be both IP addresses and domain names -- grok: - field: threatintel.abuseurl.host - patterns: - - '(?:%{IP:threatintel.indicator.ip})' - ignore_failure: true -- rename: - field: threatintel.abuseurl.reporter - target_field: threatintel.indicator.provider - ignore_missing: true - -###################### -# Cleanup processors # -###################### -- set: - field: threatintel.indicator.type - value: unknown - if: ctx?.threatintel?.indicator?.type == null -- convert: - field: threatintel.abuseurl.larted - type: boolean - ignore_missing: true -- script: - lang: painless - if: ctx?.threatintel != null - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null); - } - void handleList(List list) { - for (def x : list) { + ###################### + # Cleanup processors # + ###################### + - set: + field: threatintel.indicator.type + value: unknown + if: ctx?.threatintel?.indicator?.type == null + - convert: + field: threatintel.abuseurl.larted + type: boolean + ignore_missing: true + - script: + lang: painless + if: ctx?.threatintel != null + source: | + void handleMap(Map map) { + for (def x : map.values()) { if (x instanceof Map) { handleMap(x); } else if (x instanceof List) { handleList(x); } + } + map.values().removeIf(v -> v == null); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } } - } - handleMap(ctx); -- remove: - field: - - threatintel.abuseurl.date_added - - threatintel.abuseurl.url - - message - ignore_missing: true + handleMap(ctx); + - remove: + field: + - threatintel.abuseurl.date_added + - threatintel.abuseurl.url + - threatintel.abuseurl.host + - message + ignore_missing: true on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/threatintel/abuseurl/test/abusechurl.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/abuseurl/test/abusechurl.ndjson.log-expected.json index a37eb5f45de1..3b312440b342 100644 --- a/x-pack/filebeat/module/threatintel/abuseurl/test/abusechurl.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/abuseurl/test/abusechurl.ndjson.log-expected.json @@ -4,7 +4,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961548/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -24,9 +23,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "103.72.223.103", "threatintel.indicator.first_seen": "2021-01-14T21:19:13.000Z", + "threatintel.indicator.ip": "103.72.223.103", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961548/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "103.72.223.103", "threatintel.indicator.url.extension": "m", @@ -41,7 +41,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961546/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -61,9 +60,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "112.30.97.184", "threatintel.indicator.first_seen": "2021-01-14T21:19:05.000Z", + "threatintel.indicator.ip": "112.30.97.184", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961546/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "112.30.97.184", "threatintel.indicator.url.extension": "m", @@ -78,7 +78,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961547/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -98,9 +97,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "113.110.198.53", "threatintel.indicator.first_seen": "2021-01-14T21:19:05.000Z", + "threatintel.indicator.ip": "113.110.198.53", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961547/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "113.110.198.53", "threatintel.indicator.url.extension": "m", @@ -115,7 +115,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961545/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -135,9 +134,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "101.20.183.170", "threatintel.indicator.first_seen": "2021-01-14T21:19:04.000Z", + "threatintel.indicator.ip": "101.20.183.170", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961545/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "101.20.183.170", "threatintel.indicator.url.extension": "m", @@ -152,7 +152,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961544/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -172,9 +171,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "59.8.35.22", "threatintel.indicator.first_seen": "2021-01-14T21:07:07.000Z", + "threatintel.indicator.ip": "59.8.35.22", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961544/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "59.8.35.22", "threatintel.indicator.url.extension": "a", @@ -189,7 +189,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961543/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -209,9 +208,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "59.96.37.35", "threatintel.indicator.first_seen": "2021-01-14T21:07:06.000Z", + "threatintel.indicator.ip": "59.96.37.35", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961543/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "59.96.37.35", "threatintel.indicator.url.extension": "a", @@ -226,7 +226,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961540/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -246,9 +245,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "42.239.233.17", "threatintel.indicator.first_seen": "2021-01-14T21:07:05.000Z", + "threatintel.indicator.ip": "42.239.233.17", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961540/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "42.239.233.17", "threatintel.indicator.url.extension": "m", @@ -263,7 +263,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961541/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -283,9 +282,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "58.252.178.20", "threatintel.indicator.first_seen": "2021-01-14T21:07:05.000Z", + "threatintel.indicator.ip": "58.252.178.20", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961541/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "58.252.178.20", "threatintel.indicator.url.extension": "m", @@ -300,7 +300,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961542/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -320,9 +319,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "45.176.111.95", "threatintel.indicator.first_seen": "2021-01-14T21:07:05.000Z", + "threatintel.indicator.ip": "45.176.111.95", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961542/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "45.176.111.95", "threatintel.indicator.url.extension": "m", @@ -337,7 +337,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961539/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -357,9 +356,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "42.224.68.97", "threatintel.indicator.first_seen": "2021-01-14T21:07:04.000Z", + "threatintel.indicator.ip": "42.224.68.97", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961539/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "42.224.68.97", "threatintel.indicator.url.extension": "m", @@ -374,7 +374,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961538/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -394,9 +393,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "222.81.144.207", "threatintel.indicator.first_seen": "2021-01-14T21:06:08.000Z", + "threatintel.indicator.ip": "222.81.144.207", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961538/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "222.81.144.207", "threatintel.indicator.url.extension": "m", @@ -411,7 +411,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961537/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -431,9 +430,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "182.127.185.137", "threatintel.indicator.first_seen": "2021-01-14T21:06:06.000Z", + "threatintel.indicator.ip": "182.127.185.137", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961537/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "182.127.185.137", "threatintel.indicator.url.extension": "m", @@ -448,7 +448,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961531/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -468,9 +467,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "39.84.175.185", "threatintel.indicator.first_seen": "2021-01-14T21:06:05.000Z", + "threatintel.indicator.ip": "39.84.175.185", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961531/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "39.84.175.185", "threatintel.indicator.url.extension": "a", @@ -485,7 +485,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961532/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -505,9 +504,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "27.41.11.238", "threatintel.indicator.first_seen": "2021-01-14T21:06:05.000Z", + "threatintel.indicator.ip": "27.41.11.238", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961532/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "27.41.11.238", "threatintel.indicator.url.extension": "m", @@ -522,7 +522,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961533/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -542,9 +541,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "182.127.133.68", "threatintel.indicator.first_seen": "2021-01-14T21:06:05.000Z", + "threatintel.indicator.ip": "182.127.133.68", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961533/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "182.127.133.68", "threatintel.indicator.url.extension": "a", @@ -559,7 +559,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961534/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -579,9 +578,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "27.46.44.102", "threatintel.indicator.first_seen": "2021-01-14T21:06:05.000Z", + "threatintel.indicator.ip": "27.46.44.102", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961534/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "27.46.44.102", "threatintel.indicator.url.extension": "m", @@ -596,7 +596,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961535/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -616,9 +615,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "39.70.88.65", "threatintel.indicator.first_seen": "2021-01-14T21:06:05.000Z", + "threatintel.indicator.ip": "39.70.88.65", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961535/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "39.70.88.65", "threatintel.indicator.url.extension": "m", @@ -633,7 +633,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961536/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -653,9 +652,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "42.224.136.237", "threatintel.indicator.first_seen": "2021-01-14T21:06:05.000Z", + "threatintel.indicator.ip": "42.224.136.237", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961536/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "42.224.136.237", "threatintel.indicator.url.extension": "m", @@ -670,7 +670,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961530/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -690,9 +689,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "117.208.135.63", "threatintel.indicator.first_seen": "2021-01-14T21:05:34.000Z", + "threatintel.indicator.ip": "117.208.135.63", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961530/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "117.208.135.63", "threatintel.indicator.url.extension": "a", @@ -707,7 +707,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961525/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -727,9 +726,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "125.47.66.60", "threatintel.indicator.first_seen": "2021-01-14T21:05:06.000Z", + "threatintel.indicator.ip": "125.47.66.60", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961525/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "125.47.66.60", "threatintel.indicator.url.extension": "m", @@ -744,7 +744,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961526/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -764,9 +763,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "182.117.95.148", "threatintel.indicator.first_seen": "2021-01-14T21:05:06.000Z", + "threatintel.indicator.ip": "182.117.95.148", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961526/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "182.117.95.148", "threatintel.indicator.url.extension": "a", @@ -781,7 +781,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961527/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -801,9 +800,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "117.202.71.48", "threatintel.indicator.first_seen": "2021-01-14T21:05:06.000Z", + "threatintel.indicator.ip": "117.202.71.48", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961527/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "117.202.71.48", "threatintel.indicator.url.extension": "m", @@ -818,7 +818,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961528/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -838,9 +837,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "125.99.132.118", "threatintel.indicator.first_seen": "2021-01-14T21:05:06.000Z", + "threatintel.indicator.ip": "125.99.132.118", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961528/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "125.99.132.118", "threatintel.indicator.url.extension": "m", @@ -855,7 +855,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961529/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -875,9 +874,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "182.114.123.69", "threatintel.indicator.first_seen": "2021-01-14T21:05:06.000Z", + "threatintel.indicator.ip": "182.114.123.69", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961529/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "182.114.123.69", "threatintel.indicator.url.extension": "m", @@ -892,7 +892,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961524/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -911,9 +910,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "116.19.127.37", "threatintel.indicator.first_seen": "2021-01-14T21:04:38.000Z", + "threatintel.indicator.ip": "116.19.127.37", "threatintel.indicator.provider": "Gandylyan1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961524/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "116.19.127.37", "threatintel.indicator.url.extension": "m", @@ -928,7 +928,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961523/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -947,9 +946,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "42.239.253.55", "threatintel.indicator.first_seen": "2021-01-14T21:04:36.000Z", + "threatintel.indicator.ip": "42.239.253.55", "threatintel.indicator.provider": "Gandylyan1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961523/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "42.239.253.55", "threatintel.indicator.url.extension": "m", @@ -964,7 +964,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961520/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -983,9 +982,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "103.217.121.228", "threatintel.indicator.first_seen": "2021-01-14T21:04:33.000Z", + "threatintel.indicator.ip": "103.217.121.228", "threatintel.indicator.provider": "Gandylyan1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961520/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "103.217.121.228", "threatintel.indicator.url.extension": "m", @@ -1000,7 +1000,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961521/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -1019,9 +1018,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "111.92.81.255", "threatintel.indicator.first_seen": "2021-01-14T21:04:33.000Z", + "threatintel.indicator.ip": "111.92.81.255", "threatintel.indicator.provider": "Gandylyan1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961521/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "111.92.81.255", "threatintel.indicator.url.extension": "m", @@ -1036,7 +1036,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961522/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -1055,9 +1054,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "45.229.55.75", "threatintel.indicator.first_seen": "2021-01-14T21:04:33.000Z", + "threatintel.indicator.ip": "45.229.55.75", "threatintel.indicator.provider": "Gandylyan1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961522/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "45.229.55.75", "threatintel.indicator.url.extension": "m", @@ -1072,7 +1072,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961518/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -1091,9 +1090,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "182.121.242.148", "threatintel.indicator.first_seen": "2021-01-14T21:04:10.000Z", + "threatintel.indicator.ip": "182.121.242.148", "threatintel.indicator.provider": "Gandylyan1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961518/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "182.121.242.148", "threatintel.indicator.url.extension": "m", @@ -1108,7 +1108,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961519/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -1128,9 +1127,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "106.115.189.249", "threatintel.indicator.first_seen": "2021-01-14T21:04:10.000Z", + "threatintel.indicator.ip": "106.115.189.249", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961519/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "106.115.189.249", "threatintel.indicator.url.extension": "m", @@ -1145,7 +1145,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961516/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -1166,9 +1165,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "182.117.93.110", "threatintel.indicator.first_seen": "2021-01-14T21:04:08.000Z", + "threatintel.indicator.ip": "182.117.93.110", "threatintel.indicator.provider": "geenensp", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961516/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "182.117.93.110", "threatintel.indicator.url.extension": "sh", @@ -1183,7 +1183,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961517/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -1203,9 +1202,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "110.251.5.169", "threatintel.indicator.first_seen": "2021-01-14T21:04:08.000Z", + "threatintel.indicator.ip": "110.251.5.169", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961517/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "110.251.5.169", "threatintel.indicator.url.extension": "m", @@ -1220,7 +1220,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961515/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -1239,9 +1238,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "101.51.117.186", "threatintel.indicator.first_seen": "2021-01-14T21:04:06.000Z", + "threatintel.indicator.ip": "101.51.117.186", "threatintel.indicator.provider": "Gandylyan1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961515/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "101.51.117.186", "threatintel.indicator.url.extension": "m", @@ -1256,7 +1256,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961513/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -1275,9 +1274,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "121.151.78.166", "threatintel.indicator.first_seen": "2021-01-14T21:04:05.000Z", + "threatintel.indicator.ip": "121.151.78.166", "threatintel.indicator.provider": "Gandylyan1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961513/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "121.151.78.166", "threatintel.indicator.url.extension": "m", @@ -1292,7 +1292,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961514/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -1311,9 +1310,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "116.72.92.97", "threatintel.indicator.first_seen": "2021-01-14T21:04:05.000Z", + "threatintel.indicator.ip": "116.72.92.97", "threatintel.indicator.provider": "Gandylyan1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961514/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "116.72.92.97", "threatintel.indicator.url.extension": "m", @@ -1328,7 +1328,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961509/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -1347,9 +1346,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "27.218.15.209", "threatintel.indicator.first_seen": "2021-01-14T21:04:04.000Z", + "threatintel.indicator.ip": "27.218.15.209", "threatintel.indicator.provider": "Gandylyan1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961509/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "27.218.15.209", "threatintel.indicator.url.extension": "m", @@ -1364,7 +1364,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961510/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -1383,9 +1382,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "120.85.171.210", "threatintel.indicator.first_seen": "2021-01-14T21:04:04.000Z", + "threatintel.indicator.ip": "120.85.171.210", "threatintel.indicator.provider": "Gandylyan1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961510/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "120.85.171.210", "threatintel.indicator.url.extension": "m", @@ -1400,7 +1400,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961511/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -1421,9 +1420,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "117.251.59.53", "threatintel.indicator.first_seen": "2021-01-14T21:04:04.000Z", + "threatintel.indicator.ip": "117.251.59.53", "threatintel.indicator.provider": "geenensp", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961511/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "117.251.59.53", "threatintel.indicator.url.full": "http://117.251.59.53:50611/i", @@ -1437,7 +1437,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961512/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -1456,9 +1455,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "115.58.83.167", "threatintel.indicator.first_seen": "2021-01-14T21:04:04.000Z", + "threatintel.indicator.ip": "115.58.83.167", "threatintel.indicator.provider": "Gandylyan1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961512/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "115.58.83.167", "threatintel.indicator.url.extension": "m", @@ -1473,7 +1473,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961507/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -1493,9 +1492,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "94.178.124.83", "threatintel.indicator.first_seen": "2021-01-14T20:52:08.000Z", + "threatintel.indicator.ip": "94.178.124.83", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961507/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "94.178.124.83", "threatintel.indicator.url.extension": "m", @@ -1510,7 +1510,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961508/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -1530,9 +1529,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "182.122.75.232", "threatintel.indicator.first_seen": "2021-01-14T20:52:08.000Z", + "threatintel.indicator.ip": "182.122.75.232", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961508/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "182.122.75.232", "threatintel.indicator.url.extension": "m", @@ -1547,7 +1547,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961506/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -1567,9 +1566,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "115.63.202.43", "threatintel.indicator.first_seen": "2021-01-14T20:52:07.000Z", + "threatintel.indicator.ip": "115.63.202.43", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961506/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "115.63.202.43", "threatintel.indicator.url.extension": "m", @@ -1584,7 +1584,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961504/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -1604,9 +1603,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "59.99.40.204", "threatintel.indicator.first_seen": "2021-01-14T20:52:06.000Z", + "threatintel.indicator.ip": "59.99.40.204", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961504/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "59.99.40.204", "threatintel.indicator.url.extension": "m", @@ -1621,7 +1621,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961505/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -1641,9 +1640,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "117.247.128.213", "threatintel.indicator.first_seen": "2021-01-14T20:52:06.000Z", + "threatintel.indicator.ip": "117.247.128.213", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961505/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "117.247.128.213", "threatintel.indicator.url.extension": "m", @@ -1658,7 +1658,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961500/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -1678,9 +1677,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "14.137.219.132", "threatintel.indicator.first_seen": "2021-01-14T20:52:05.000Z", + "threatintel.indicator.ip": "14.137.219.132", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961500/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "14.137.219.132", "threatintel.indicator.url.extension": "a", @@ -1695,7 +1695,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961501/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -1715,9 +1714,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "42.224.40.14", "threatintel.indicator.first_seen": "2021-01-14T20:52:05.000Z", + "threatintel.indicator.ip": "42.224.40.14", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961501/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "42.224.40.14", "threatintel.indicator.url.extension": "m", @@ -1732,7 +1732,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961502/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -1752,9 +1751,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "186.33.104.107", "threatintel.indicator.first_seen": "2021-01-14T20:52:05.000Z", + "threatintel.indicator.ip": "186.33.104.107", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961502/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "186.33.104.107", "threatintel.indicator.url.extension": "m", @@ -1769,7 +1769,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961503/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -1789,9 +1788,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "85.105.16.154", "threatintel.indicator.first_seen": "2021-01-14T20:52:05.000Z", + "threatintel.indicator.ip": "85.105.16.154", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961503/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "85.105.16.154", "threatintel.indicator.url.extension": "m", @@ -1806,7 +1806,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961496/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -1826,9 +1825,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "178.141.73.115", "threatintel.indicator.first_seen": "2021-01-14T20:52:04.000Z", + "threatintel.indicator.ip": "178.141.73.115", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961496/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "178.141.73.115", "threatintel.indicator.url.extension": "a", @@ -1843,7 +1843,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961497/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -1863,9 +1862,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "186.33.104.135", "threatintel.indicator.first_seen": "2021-01-14T20:52:04.000Z", + "threatintel.indicator.ip": "186.33.104.135", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961497/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "186.33.104.135", "threatintel.indicator.url.extension": "m", @@ -1880,7 +1880,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961498/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -1900,9 +1899,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "115.56.159.43", "threatintel.indicator.first_seen": "2021-01-14T20:52:04.000Z", + "threatintel.indicator.ip": "115.56.159.43", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961498/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "115.56.159.43", "threatintel.indicator.url.extension": "m", @@ -1917,7 +1917,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961499/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -1937,9 +1936,10 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.domain": "42.230.138.170", "threatintel.indicator.first_seen": "2021-01-14T20:52:04.000Z", + "threatintel.indicator.ip": "42.230.138.170", "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961499/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "42.230.138.170", "threatintel.indicator.url.extension": "m", @@ -1954,7 +1954,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961494/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -1973,9 +1972,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "univirtek.com", "threatintel.indicator.first_seen": "2021-01-14T20:51:47.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961494/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "univirtek.com", "threatintel.indicator.url.extension": "jpg", @@ -1989,7 +1988,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961495/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2008,9 +2006,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "univirtek.com", "threatintel.indicator.first_seen": "2021-01-14T20:51:47.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961495/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "univirtek.com", "threatintel.indicator.url.extension": "png", @@ -2024,7 +2022,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961492/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2043,9 +2040,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "ladiesincode.com", "threatintel.indicator.first_seen": "2021-01-14T20:51:45.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961492/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "ladiesincode.com", "threatintel.indicator.url.extension": "jpg", @@ -2059,7 +2056,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961493/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2078,9 +2074,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "letonguesc.com", "threatintel.indicator.first_seen": "2021-01-14T20:51:45.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961493/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "letonguesc.com", "threatintel.indicator.url.extension": "css", @@ -2094,7 +2090,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961490/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2113,9 +2108,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "cxminute.com", "threatintel.indicator.first_seen": "2021-01-14T20:51:44.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961490/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "cxminute.com", "threatintel.indicator.url.extension": "png", @@ -2129,7 +2124,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961491/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2148,9 +2142,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "cxminute.com", "threatintel.indicator.first_seen": "2021-01-14T20:51:44.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961491/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "cxminute.com", "threatintel.indicator.url.extension": "css", @@ -2164,7 +2158,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961489/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2183,9 +2176,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "cxminute.com", "threatintel.indicator.first_seen": "2021-01-14T20:51:41.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961489/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "cxminute.com", "threatintel.indicator.url.extension": "gif", @@ -2199,7 +2192,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961488/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2218,9 +2210,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "belfetproduction.com", "threatintel.indicator.first_seen": "2021-01-14T20:51:40.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961488/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "belfetproduction.com", "threatintel.indicator.url.extension": "png", @@ -2234,7 +2226,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961487/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2253,9 +2244,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "belfetproduction.com", "threatintel.indicator.first_seen": "2021-01-14T20:51:17.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961487/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "belfetproduction.com", "threatintel.indicator.url.extension": "jpg", @@ -2269,7 +2260,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961485/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2288,9 +2278,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "ladiesincode.com", "threatintel.indicator.first_seen": "2021-01-14T20:51:16.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961485/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "ladiesincode.com", "threatintel.indicator.url.extension": "css", @@ -2304,7 +2294,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961486/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2323,9 +2312,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "letonguesc.com", "threatintel.indicator.first_seen": "2021-01-14T20:51:16.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961486/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "letonguesc.com", "threatintel.indicator.url.extension": "gif", @@ -2339,7 +2328,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961482/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2358,9 +2346,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "univirtek.com", "threatintel.indicator.first_seen": "2021-01-14T20:51:15.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961482/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "univirtek.com", "threatintel.indicator.url.extension": "css", @@ -2374,7 +2362,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961483/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2393,9 +2380,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "belfetproduction.com", "threatintel.indicator.first_seen": "2021-01-14T20:51:15.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961483/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "belfetproduction.com", "threatintel.indicator.url.extension": "png", @@ -2409,7 +2396,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961484/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2428,9 +2414,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "cxminute.com", "threatintel.indicator.first_seen": "2021-01-14T20:51:15.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961484/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "cxminute.com", "threatintel.indicator.url.extension": "jpg", @@ -2444,7 +2430,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961480/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2463,9 +2448,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "univirtek.com", "threatintel.indicator.first_seen": "2021-01-14T20:51:13.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961480/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "univirtek.com", "threatintel.indicator.url.extension": "png", @@ -2479,7 +2464,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961481/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2498,9 +2482,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "cxminute.com", "threatintel.indicator.first_seen": "2021-01-14T20:51:13.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961481/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "cxminute.com", "threatintel.indicator.url.extension": "jpg", @@ -2514,7 +2498,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961478/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2533,9 +2516,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "univirtek.com", "threatintel.indicator.first_seen": "2021-01-14T20:51:10.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961478/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "univirtek.com", "threatintel.indicator.url.extension": "png", @@ -2549,7 +2532,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961479/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2568,9 +2550,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "ladiesincode.com", "threatintel.indicator.first_seen": "2021-01-14T20:51:10.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961479/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "ladiesincode.com", "threatintel.indicator.url.extension": "gif", @@ -2584,7 +2566,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961476/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2603,9 +2584,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "cxminute.com", "threatintel.indicator.first_seen": "2021-01-14T20:50:45.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961476/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "cxminute.com", "threatintel.indicator.url.extension": "css", @@ -2619,7 +2600,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961477/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2638,9 +2618,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "belfetproduction.com", "threatintel.indicator.first_seen": "2021-01-14T20:50:45.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961477/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "belfetproduction.com", "threatintel.indicator.url.extension": "png", @@ -2654,7 +2634,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961470/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2673,9 +2652,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "cxminute.com", "threatintel.indicator.first_seen": "2021-01-14T20:50:43.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961470/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "cxminute.com", "threatintel.indicator.url.extension": "jpg", @@ -2689,7 +2668,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961471/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2708,9 +2686,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "fhivelifestyle.online", "threatintel.indicator.first_seen": "2021-01-14T20:50:43.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961471/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "fhivelifestyle.online", "threatintel.indicator.url.extension": "jpg", @@ -2724,7 +2702,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961472/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2743,9 +2720,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "belfetproduction.com", "threatintel.indicator.first_seen": "2021-01-14T20:50:43.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961472/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "belfetproduction.com", "threatintel.indicator.url.extension": "css", @@ -2759,7 +2736,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961473/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2778,9 +2754,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "belfetproduction.com", "threatintel.indicator.first_seen": "2021-01-14T20:50:43.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961473/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "belfetproduction.com", "threatintel.indicator.url.extension": "css", @@ -2794,7 +2770,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961474/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2813,9 +2788,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "belfetproduction.com", "threatintel.indicator.first_seen": "2021-01-14T20:50:43.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961474/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "belfetproduction.com", "threatintel.indicator.url.extension": "css", @@ -2829,7 +2804,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961475/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2848,9 +2822,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "cxminute.com", "threatintel.indicator.first_seen": "2021-01-14T20:50:43.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961475/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "cxminute.com", "threatintel.indicator.url.extension": "css", @@ -2864,7 +2838,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961468/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2883,9 +2856,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "cxminute.com", "threatintel.indicator.first_seen": "2021-01-14T20:50:38.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961468/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "cxminute.com", "threatintel.indicator.url.extension": "jpg", @@ -2899,7 +2872,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961469/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2918,9 +2890,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "univirtek.com", "threatintel.indicator.first_seen": "2021-01-14T20:50:38.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961469/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "univirtek.com", "threatintel.indicator.url.extension": "css", @@ -2934,7 +2906,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961467/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2953,9 +2924,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "letonguesc.com", "threatintel.indicator.first_seen": "2021-01-14T20:50:13.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961467/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "letonguesc.com", "threatintel.indicator.url.extension": "png", @@ -2969,7 +2940,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961464/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -2988,9 +2958,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "ladiesincode.com", "threatintel.indicator.first_seen": "2021-01-14T20:50:09.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961464/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "ladiesincode.com", "threatintel.indicator.url.extension": "css", @@ -3004,7 +2974,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961465/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -3023,9 +2992,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "ladiesincode.com", "threatintel.indicator.first_seen": "2021-01-14T20:50:09.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961465/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "ladiesincode.com", "threatintel.indicator.url.extension": "css", @@ -3039,7 +3008,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961466/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -3058,9 +3026,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "letonguesc.com", "threatintel.indicator.first_seen": "2021-01-14T20:50:09.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961466/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "letonguesc.com", "threatintel.indicator.url.extension": "jpg", @@ -3074,7 +3042,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961461/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -3093,9 +3060,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "univirtek.com", "threatintel.indicator.first_seen": "2021-01-14T20:50:08.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961461/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "univirtek.com", "threatintel.indicator.url.extension": "png", @@ -3109,7 +3076,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961462/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -3128,9 +3094,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "cxminute.com", "threatintel.indicator.first_seen": "2021-01-14T20:50:08.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961462/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "cxminute.com", "threatintel.indicator.url.extension": "css", @@ -3144,7 +3110,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961463/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -3163,9 +3128,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "univirtek.com", "threatintel.indicator.first_seen": "2021-01-14T20:50:08.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961463/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "univirtek.com", "threatintel.indicator.url.extension": "css", @@ -3179,7 +3144,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961458/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -3198,9 +3162,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "belfetproduction.com", "threatintel.indicator.first_seen": "2021-01-14T20:50:07.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961458/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "belfetproduction.com", "threatintel.indicator.url.extension": "css", @@ -3214,7 +3178,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961459/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -3233,9 +3196,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "ladiesincode.com", "threatintel.indicator.first_seen": "2021-01-14T20:50:07.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961459/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "ladiesincode.com", "threatintel.indicator.url.extension": "jpg", @@ -3249,7 +3212,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961460/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -3268,9 +3230,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "cxminute.com", "threatintel.indicator.first_seen": "2021-01-14T20:50:07.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961460/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "cxminute.com", "threatintel.indicator.url.extension": "png", @@ -3284,7 +3246,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961455/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -3303,9 +3264,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "univirtek.com", "threatintel.indicator.first_seen": "2021-01-14T20:49:39.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961455/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "univirtek.com", "threatintel.indicator.url.extension": "gif", @@ -3319,7 +3280,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961456/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -3338,9 +3298,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "cxminute.com", "threatintel.indicator.first_seen": "2021-01-14T20:49:39.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961456/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "cxminute.com", "threatintel.indicator.url.extension": "gif", @@ -3354,7 +3314,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961457/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -3373,9 +3332,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "letonguesc.com", "threatintel.indicator.first_seen": "2021-01-14T20:49:39.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961457/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "letonguesc.com", "threatintel.indicator.url.extension": "gif", @@ -3389,7 +3348,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961450/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -3408,9 +3366,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "cxminute.com", "threatintel.indicator.first_seen": "2021-01-14T20:49:37.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961450/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "cxminute.com", "threatintel.indicator.url.extension": "png", @@ -3424,7 +3382,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961451/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -3443,9 +3400,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "univirtek.com", "threatintel.indicator.first_seen": "2021-01-14T20:49:37.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961451/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "univirtek.com", "threatintel.indicator.url.extension": "css", @@ -3459,7 +3416,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961452/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -3478,9 +3434,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "univirtek.com", "threatintel.indicator.first_seen": "2021-01-14T20:49:37.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961452/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "univirtek.com", "threatintel.indicator.url.extension": "css", @@ -3494,7 +3450,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961453/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -3513,9 +3468,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "univirtek.com", "threatintel.indicator.first_seen": "2021-01-14T20:49:37.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961453/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "univirtek.com", "threatintel.indicator.url.extension": "jpg", @@ -3529,7 +3484,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961454/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -3548,9 +3502,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "univirtek.com", "threatintel.indicator.first_seen": "2021-01-14T20:49:37.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961454/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "univirtek.com", "threatintel.indicator.url.extension": "jpg", @@ -3564,7 +3518,6 @@ "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://urlhaus.abuse.ch/url/961448/", "event.type": "indicator", "fileset.name": "abuseurl", "input.type": "log", @@ -3583,9 +3536,9 @@ ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.domain": "belfetproduction.com", "threatintel.indicator.first_seen": "2021-01-14T20:49:36.000Z", "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961448/", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "belfetproduction.com", "threatintel.indicator.url.extension": "png", diff --git a/x-pack/filebeat/module/threatintel/anomali/test/anomali_limo.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/anomali/test/anomali_limo.ndjson.log-expected.json index ae4d6f5223d2..f527da1ed989 100644 --- a/x-pack/filebeat/module/threatintel/anomali/test/anomali_limo.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/anomali/test/anomali_limo.ndjson.log-expected.json @@ -31,6 +31,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://chol.cc/Work6/PvqDq929BSx_A_D_M1n_a.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T02:58:57.431Z", + "threatintel.indicator.first_seen": "2020-01-22T02:58:57.431Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "chol.cc", @@ -72,6 +73,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://worldatdoor.in/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T02:58:57.503Z", + "threatintel.indicator.first_seen": "2020-01-22T02:58:57.503Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "worldatdoor.in", @@ -112,7 +114,8 @@ ], "threatintel.anomali.pattern": "[url:value = 'http://f0387770.xsph.ru/login']", "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T02:58:57.570Z", + "threatintel.anomali.valid_from": "2020-01-22T02:58:57.57Z", + "threatintel.indicator.first_seen": "2020-01-22T02:58:57.570Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "f0387770.xsph.ru", @@ -153,6 +156,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://178.62.187.103/login']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T02:58:59.366Z", + "threatintel.indicator.first_seen": "2020-01-22T02:58:59.366Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "178.62.187.103", @@ -193,6 +197,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://appareluea.com/panel/admin.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T02:58:59.457Z", + "threatintel.indicator.first_seen": "2020-01-22T02:58:59.457Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "appareluea.com", @@ -234,6 +239,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://nkpotu.xyz/Kpot3/login.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T02:59:06.402Z", + "threatintel.indicator.first_seen": "2020-01-22T02:59:06.402Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "nkpotu.xyz", @@ -274,7 +280,8 @@ ], "threatintel.anomali.pattern": "[ipv4-addr:value = '162.144.128.116']", "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T02:59:19.990Z", + "threatintel.anomali.valid_from": "2020-01-22T02:59:19.99Z", + "threatintel.indicator.first_seen": "2020-01-22T02:59:19.990Z", "threatintel.indicator.ip": "162.144.128.116", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "ipv4-addr" @@ -311,6 +318,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://ntrcgroup.com/nze/panel/admin.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T02:59:20.155Z", + "threatintel.indicator.first_seen": "2020-01-22T02:59:20.155Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "ntrcgroup.com", @@ -352,6 +360,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://chol.cc/Work8/PvqDq929BSx_A_D_M1n_a.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T02:59:25.521Z", + "threatintel.indicator.first_seen": "2020-01-22T02:59:25.521Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "chol.cc", @@ -393,6 +402,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://f0390764.xsph.ru/login']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T02:59:25.626Z", + "threatintel.indicator.first_seen": "2020-01-22T02:59:25.626Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "f0390764.xsph.ru", @@ -433,6 +443,7 @@ "threatintel.anomali.pattern": "[ipv4-addr:value = '45.143.138.39']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T02:59:36.461Z", + "threatintel.indicator.first_seen": "2020-01-22T02:59:36.461Z", "threatintel.indicator.ip": "45.143.138.39", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "ipv4-addr" @@ -469,6 +480,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://aglfreight.com.my/inc/js/jstree/biu/panel/admin.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T02:59:41.193Z", + "threatintel.indicator.first_seen": "2020-01-22T02:59:41.193Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "aglfreight.com.my", @@ -510,6 +522,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://95.182.122.184/']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T02:59:41.228Z", + "threatintel.indicator.first_seen": "2020-01-22T02:59:41.228Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "95.182.122.184", @@ -550,6 +563,7 @@ "threatintel.anomali.pattern": "[ipv4-addr:value = '198.54.115.121']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T02:59:51.313Z", + "threatintel.indicator.first_seen": "2020-01-22T02:59:51.313Z", "threatintel.indicator.ip": "198.54.115.121", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "ipv4-addr" @@ -586,6 +600,7 @@ "threatintel.anomali.pattern": "[ipv4-addr:value = '192.185.119.172']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T02:59:51.372Z", + "threatintel.indicator.first_seen": "2020-01-22T02:59:51.372Z", "threatintel.indicator.ip": "192.185.119.172", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "ipv4-addr" @@ -622,6 +637,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://f0389246.xsph.ru/login']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T02:59:51.442Z", + "threatintel.indicator.first_seen": "2020-01-22T02:59:51.442Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "f0389246.xsph.ru", @@ -662,6 +678,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://appareluea.com/server/cp.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T03:00:01.563Z", + "threatintel.indicator.first_seen": "2020-01-22T03:00:01.563Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "appareluea.com", @@ -703,6 +720,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://nkpotu.xyz/Kpot2/login.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T03:00:03.138Z", + "threatintel.indicator.first_seen": "2020-01-22T03:00:03.138Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "nkpotu.xyz", @@ -744,6 +762,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://chol.cc/Work5/PvqDq929BSx_A_D_M1n_a.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T03:00:03.396Z", + "threatintel.indicator.first_seen": "2020-01-22T03:00:03.396Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "chol.cc", @@ -785,6 +804,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://mecharnise.ir/ca4/panel/admin.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T03:00:03.642Z", + "threatintel.indicator.first_seen": "2020-01-22T03:00:03.642Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "mecharnise.ir", @@ -826,6 +846,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://chol.cc/Work4/PvqDq929BSx_A_D_M1n_a.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T03:00:27.534Z", + "threatintel.indicator.first_seen": "2020-01-22T03:00:27.534Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "chol.cc", @@ -867,6 +888,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://kironofer.com/webpanel/login.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T03:00:27.591Z", + "threatintel.indicator.first_seen": "2020-01-22T03:00:27.591Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "kironofer.com", @@ -908,6 +930,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://worldatdoor.in/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T03:00:45.787Z", + "threatintel.indicator.first_seen": "2020-01-22T03:00:45.787Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "worldatdoor.in", @@ -949,6 +972,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://smartlinktelecom.top/kings/panel/admin.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T03:00:45.841Z", + "threatintel.indicator.first_seen": "2020-01-22T03:00:45.841Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "smartlinktelecom.top", @@ -990,6 +1014,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://carirero.net/login.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T03:00:45.959Z", + "threatintel.indicator.first_seen": "2020-01-22T03:00:45.959Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "carirero.net", @@ -1031,6 +1056,7 @@ "threatintel.anomali.pattern": "[ipv4-addr:value = '74.116.84.20']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T03:00:46.025Z", + "threatintel.indicator.first_seen": "2020-01-22T03:00:46.025Z", "threatintel.indicator.ip": "74.116.84.20", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "ipv4-addr" @@ -1067,6 +1093,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://tuu.nu/login']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T03:00:57.729Z", + "threatintel.indicator.first_seen": "2020-01-22T03:00:57.729Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "tuu.nu", @@ -1107,6 +1134,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://dulfix.com/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T03:01:02.696Z", + "threatintel.indicator.first_seen": "2020-01-22T03:01:02.696Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "dulfix.com", @@ -1148,6 +1176,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://deliciasdvally.com.pe/includes/gter/PvqDq929BSx_A_D_M1n_a.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T03:01:02.807Z", + "threatintel.indicator.first_seen": "2020-01-22T03:01:02.807Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "deliciasdvally.com.pe", @@ -1188,7 +1217,8 @@ ], "threatintel.anomali.pattern": "[url:value = 'http://nkpotu.xyz/Kpot1/login.php']", "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:01:24.810Z", + "threatintel.anomali.valid_from": "2020-01-22T03:01:24.81Z", + "threatintel.indicator.first_seen": "2020-01-22T03:01:24.810Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "nkpotu.xyz", @@ -1230,6 +1260,7 @@ "threatintel.anomali.pattern": "[ipv4-addr:value = '194.87.147.80']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T03:01:41.158Z", + "threatintel.indicator.first_seen": "2020-01-22T03:01:41.158Z", "threatintel.indicator.ip": "194.87.147.80", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "ipv4-addr" @@ -1266,6 +1297,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://35.158.92.3/panel/admin.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T03:01:57.189Z", + "threatintel.indicator.first_seen": "2020-01-22T03:01:57.189Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "35.158.92.3", @@ -1307,6 +1339,7 @@ "threatintel.anomali.pattern": "[ipv4-addr:value = '45.95.168.70']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T03:01:57.279Z", + "threatintel.indicator.first_seen": "2020-01-22T03:01:57.279Z", "threatintel.indicator.ip": "45.95.168.70", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "ipv4-addr" @@ -1342,7 +1375,8 @@ ], "threatintel.anomali.pattern": "[url:value = 'http://chol.cc/Work7/PvqDq929BSx_A_D_M1n_a.php']", "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:02:50.570Z", + "threatintel.anomali.valid_from": "2020-01-22T03:02:50.57Z", + "threatintel.indicator.first_seen": "2020-01-22T03:02:50.570Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "chol.cc", @@ -1384,6 +1418,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://f0391600.xsph.ru/login']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T03:02:52.496Z", + "threatintel.indicator.first_seen": "2020-01-22T03:02:52.496Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "f0391600.xsph.ru", @@ -1424,6 +1459,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://extraclick.space/login.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T03:03:42.819Z", + "threatintel.indicator.first_seen": "2020-01-22T03:03:42.819Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "extraclick.space", @@ -1465,6 +1501,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://petrogarmani.pw/login.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T03:03:52.044Z", + "threatintel.indicator.first_seen": "2020-01-22T03:03:52.044Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "petrogarmani.pw", @@ -1505,7 +1542,8 @@ ], "threatintel.anomali.pattern": "[url:value = 'http://worldatdoor.in/mighty/32/panel/admin.php']", "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:04:01.650Z", + "threatintel.anomali.valid_from": "2020-01-22T03:04:01.65Z", + "threatintel.indicator.first_seen": "2020-01-22T03:04:01.650Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "worldatdoor.in", @@ -1547,6 +1585,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://zanlma.com/login']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T03:04:32.717Z", + "threatintel.indicator.first_seen": "2020-01-22T03:04:32.717Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "zanlma.com", @@ -1587,6 +1626,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://f0369688.xsph.ru/login']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T03:04:56.858Z", + "threatintel.indicator.first_seen": "2020-01-22T03:04:56.858Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "f0369688.xsph.ru", @@ -1627,6 +1667,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://chol.cc/Work2/PvqDq929BSx_A_D_M1n_a.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-22T03:04:59.245Z", + "threatintel.indicator.first_seen": "2020-01-22T03:04:59.245Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "chol.cc", @@ -1668,6 +1709,7 @@ "threatintel.anomali.pattern": "[ipv4-addr:value = '192.185.214.199']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-23T03:00:22.287Z", + "threatintel.indicator.first_seen": "2020-01-23T03:00:22.287Z", "threatintel.indicator.ip": "192.185.214.199", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "ipv4-addr" @@ -1704,6 +1746,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://softtouchcollars.com/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-23T03:01:11.329Z", + "threatintel.indicator.first_seen": "2020-01-23T03:01:11.329Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "softtouchcollars.com", @@ -1745,6 +1788,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://imobiliariatirol.com/gh/panelnew/admin.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-23T03:01:36.682Z", + "threatintel.indicator.first_seen": "2020-01-23T03:01:36.682Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "imobiliariatirol.com", @@ -1786,6 +1830,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://deliveryexpressworld.xyz/five/PvqDq929BSx_A_D_M1n_a.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-23T03:02:15.854Z", + "threatintel.indicator.first_seen": "2020-01-23T03:02:15.854Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "deliveryexpressworld.xyz", @@ -1827,6 +1872,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://f0392261.xsph.ru/login']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-23T03:02:47.364Z", + "threatintel.indicator.first_seen": "2020-01-23T03:02:47.364Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "f0392261.xsph.ru", @@ -1867,6 +1913,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://104.168.99.168/panel/panel/admin.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-23T03:03:05.048Z", + "threatintel.indicator.first_seen": "2020-01-23T03:03:05.048Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "104.168.99.168", @@ -1908,6 +1955,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://f0387404.xsph.ru/panel/admin.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-23T03:03:15.734Z", + "threatintel.indicator.first_seen": "2020-01-23T03:03:15.734Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "f0387404.xsph.ru", @@ -1949,6 +1997,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://a0386457.xsph.ru/panel/admin.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-23T03:03:42.599Z", + "threatintel.indicator.first_seen": "2020-01-23T03:03:42.599Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "a0386457.xsph.ru", @@ -1990,6 +2039,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://defenseisrael.com/dis/index.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T02:57:04.821Z", + "threatintel.indicator.first_seen": "2020-01-24T02:57:04.821Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "defenseisrael.com", @@ -2031,6 +2081,7 @@ "threatintel.anomali.pattern": "[ipv4-addr:value = '91.215.170.249']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T02:57:04.857Z", + "threatintel.indicator.first_seen": "2020-01-24T02:57:04.857Z", "threatintel.indicator.ip": "91.215.170.249", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "ipv4-addr" @@ -2067,6 +2118,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://lbfb3f03.justinstalledpanel.com/login']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T02:57:04.883Z", + "threatintel.indicator.first_seen": "2020-01-24T02:57:04.883Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "lbfb3f03.justinstalledpanel.com", @@ -2107,6 +2159,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://byedtronchgroup.yt/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T02:57:12.997Z", + "threatintel.indicator.first_seen": "2020-01-24T02:57:12.997Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "byedtronchgroup.yt", @@ -2148,6 +2201,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://199.192.28.11/panel/admin.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T02:57:13.025Z", + "threatintel.indicator.first_seen": "2020-01-24T02:57:13.025Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "199.192.28.11", @@ -2189,6 +2243,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://217.8.117.51/aW8bVds1/login.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T02:57:32.901Z", + "threatintel.indicator.first_seen": "2020-01-24T02:57:32.901Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "217.8.117.51", @@ -2230,6 +2285,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://lansome.site/login']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T02:57:32.929Z", + "threatintel.indicator.first_seen": "2020-01-24T02:57:32.929Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "lansome.site", @@ -2270,6 +2326,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://iplusvietnam.com.vn/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T02:57:49.028Z", + "threatintel.indicator.first_seen": "2020-01-24T02:57:49.028Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "iplusvietnam.com.vn", @@ -2311,6 +2368,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://leakaryadeen.com/parl/id345/PvqDq929BSx_A_D_M1n_a.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T02:58:03.345Z", + "threatintel.indicator.first_seen": "2020-01-24T02:58:03.345Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "leakaryadeen.com", @@ -2352,6 +2410,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://oaa-my.com/clap/five/PvqDq929BSx_A_D_M1n_a.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T02:58:16.318Z", + "threatintel.indicator.first_seen": "2020-01-24T02:58:16.318Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "oaa-my.com", @@ -2393,6 +2452,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://thaubenuocngam.com/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T02:58:16.358Z", + "threatintel.indicator.first_seen": "2020-01-24T02:58:16.358Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "thaubenuocngam.com", @@ -2434,6 +2494,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://suspiciousactivity.xyz/login']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T02:58:32.126Z", + "threatintel.indicator.first_seen": "2020-01-24T02:58:32.126Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "suspiciousactivity.xyz", @@ -2474,6 +2535,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://217.8.117.8/login']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T02:58:37.603Z", + "threatintel.indicator.first_seen": "2020-01-24T02:58:37.603Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "217.8.117.8", @@ -2514,6 +2576,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://f0387550.xsph.ru/login']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T02:58:37.643Z", + "threatintel.indicator.first_seen": "2020-01-24T02:58:37.643Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "f0387550.xsph.ru", @@ -2554,6 +2617,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://lf4e4abf.justinstalledpanel.com/login']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T02:58:39.465Z", + "threatintel.indicator.first_seen": "2020-01-24T02:58:39.465Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "lf4e4abf.justinstalledpanel.com", @@ -2594,6 +2658,7 @@ "threatintel.anomali.pattern": "[ipv4-addr:value = '206.217.131.245']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T02:59:02.031Z", + "threatintel.indicator.first_seen": "2020-01-24T02:59:02.031Z", "threatintel.indicator.ip": "206.217.131.245", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "ipv4-addr" @@ -2630,6 +2695,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://67.215.224.101/a1/panel/admin.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T02:59:15.878Z", + "threatintel.indicator.first_seen": "2020-01-24T02:59:15.878Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "67.215.224.101", @@ -2671,6 +2737,7 @@ "threatintel.anomali.pattern": "[ipv4-addr:value = '162.241.73.163']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T02:59:29.155Z", + "threatintel.indicator.first_seen": "2020-01-24T02:59:29.155Z", "threatintel.indicator.ip": "162.241.73.163", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "ipv4-addr" @@ -2707,6 +2774,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://l60bdd58.justinstalledpanel.com/login']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T02:59:50.233Z", + "threatintel.indicator.first_seen": "2020-01-24T02:59:50.233Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "l60bdd58.justinstalledpanel.com", @@ -2747,6 +2815,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://107.175.150.73/~giftioz/.azma/panel/admin.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T02:59:50.255Z", + "threatintel.indicator.first_seen": "2020-01-24T02:59:50.255Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "107.175.150.73", @@ -2788,6 +2857,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://5.188.60.52/login']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T02:59:52.536Z", + "threatintel.indicator.first_seen": "2020-01-24T02:59:52.536Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "5.188.60.52", @@ -2828,6 +2898,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://trotdeiman.ga/login']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T02:59:54.784Z", + "threatintel.indicator.first_seen": "2020-01-24T02:59:54.784Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "trotdeiman.ga", @@ -2868,6 +2939,7 @@ "threatintel.anomali.pattern": "[ipv4-addr:value = '217.8.117.8']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T02:59:54.815Z", + "threatintel.indicator.first_seen": "2020-01-24T02:59:54.815Z", "threatintel.indicator.ip": "217.8.117.8", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "ipv4-addr" @@ -2904,6 +2976,7 @@ "threatintel.anomali.pattern": "[ipv4-addr:value = '104.223.170.113']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T03:00:01.726Z", + "threatintel.indicator.first_seen": "2020-01-24T03:00:01.726Z", "threatintel.indicator.ip": "104.223.170.113", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "ipv4-addr" @@ -2940,6 +3013,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://tavim.org/includes/firmino/admin.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T03:00:01.762Z", + "threatintel.indicator.first_seen": "2020-01-24T03:00:01.762Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "tavim.org", @@ -2981,6 +3055,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://onlinesecuritycenter.xyz/login']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T03:00:10.928Z", + "threatintel.indicator.first_seen": "2020-01-24T03:00:10.928Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "onlinesecuritycenter.xyz", @@ -3021,6 +3096,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://oaa-my.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T03:00:20.166Z", + "threatintel.indicator.first_seen": "2020-01-24T03:00:20.166Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "oaa-my.com", @@ -3062,6 +3138,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://jumbajumbadun.fun/login']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T03:00:24.048Z", + "threatintel.indicator.first_seen": "2020-01-24T03:00:24.048Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "jumbajumbadun.fun", @@ -3102,6 +3179,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://tavim.org/includes/salah/admin.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T03:00:55.816Z", + "threatintel.indicator.first_seen": "2020-01-24T03:00:55.816Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "tavim.org", @@ -3143,6 +3221,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://l0c23205.justinstalledpanel.com/login']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T03:01:10.501Z", + "threatintel.indicator.first_seen": "2020-01-24T03:01:10.501Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "l0c23205.justinstalledpanel.com", @@ -3183,6 +3262,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://l535e9e5.justinstalledpanel.com/login']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T03:01:10.518Z", + "threatintel.indicator.first_seen": "2020-01-24T03:01:10.518Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "l535e9e5.justinstalledpanel.com", @@ -3223,6 +3303,7 @@ "threatintel.anomali.pattern": "[ipv4-addr:value = '217.8.117.47']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-24T03:01:14.843Z", + "threatintel.indicator.first_seen": "2020-01-24T03:01:14.843Z", "threatintel.indicator.ip": "217.8.117.47", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "ipv4-addr" @@ -3259,6 +3340,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://46.161.27.57/northon/']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-25T02:57:12.699Z", + "threatintel.indicator.first_seen": "2020-01-25T02:57:12.699Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "46.161.27.57", @@ -3299,6 +3381,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://104.168.99.170/login']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-25T02:57:28.034Z", + "threatintel.indicator.first_seen": "2020-01-25T02:57:28.034Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "104.168.99.170", @@ -3339,6 +3422,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://officelog.org/inc/js/jstree/scan/panel/admin.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-25T02:57:38.187Z", + "threatintel.indicator.first_seen": "2020-01-25T02:57:38.187Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "officelog.org", @@ -3380,6 +3464,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://f0391587.xsph.ru/login']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-25T02:57:38.214Z", + "threatintel.indicator.first_seen": "2020-01-25T02:57:38.214Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "f0391587.xsph.ru", @@ -3420,6 +3505,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://46.161.27.57:8080/northon/']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-25T02:57:47.281Z", + "threatintel.indicator.first_seen": "2020-01-25T02:57:47.281Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "46.161.27.57", @@ -3461,6 +3547,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://f0393086.xsph.ru/login']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-25T02:57:51.296Z", + "threatintel.indicator.first_seen": "2020-01-25T02:57:51.296Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "f0393086.xsph.ru", @@ -3501,6 +3588,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://insuncos.com/files1/panel/admin.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-25T02:57:56.007Z", + "threatintel.indicator.first_seen": "2020-01-25T02:57:56.007Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "insuncos.com", @@ -3542,6 +3630,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://tg-h.ru/login']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-25T02:57:56.044Z", + "threatintel.indicator.first_seen": "2020-01-25T02:57:56.044Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "tg-h.ru", @@ -3582,6 +3671,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://wusetwo.xyz/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-25T02:58:11.038Z", + "threatintel.indicator.first_seen": "2020-01-25T02:58:11.038Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "wusetwo.xyz", @@ -3622,7 +3712,8 @@ ], "threatintel.anomali.pattern": "[url:value = 'http://185.234.217.36/northon/']", "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:58:20.420Z", + "threatintel.anomali.valid_from": "2020-01-25T02:58:20.42Z", + "threatintel.indicator.first_seen": "2020-01-25T02:58:20.420Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "185.234.217.36", @@ -3663,6 +3754,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://topik07.mcdir.ru/papka/admin.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-25T02:58:20.448Z", + "threatintel.indicator.first_seen": "2020-01-25T02:58:20.448Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "topik07.mcdir.ru", @@ -3704,6 +3796,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://insuncos.com/files2/panel/admin.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-25T02:58:33.189Z", + "threatintel.indicator.first_seen": "2020-01-25T02:58:33.189Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "insuncos.com", @@ -3745,6 +3838,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://185.234.218.68/kaspersky/']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-25T02:58:49.056Z", + "threatintel.indicator.first_seen": "2020-01-25T02:58:49.056Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "185.234.218.68", @@ -3785,6 +3879,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://officelog.org/inc/js/jstree/mh/panel/admin.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-25T02:58:59.472Z", + "threatintel.indicator.first_seen": "2020-01-25T02:58:59.472Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "officelog.org", @@ -3825,7 +3920,8 @@ ], "threatintel.anomali.pattern": "[url:value = 'http://officelog.org/inc/js/jstree/ch/panel/admin.php']", "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:59:27.070Z", + "threatintel.anomali.valid_from": "2020-01-25T02:59:27.07Z", + "threatintel.indicator.first_seen": "2020-01-25T02:59:27.070Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "officelog.org", @@ -3867,6 +3963,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://officelog.org/inc/js/jstree/dar/panel/admin.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-25T02:59:28.967Z", + "threatintel.indicator.first_seen": "2020-01-25T02:59:28.967Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "officelog.org", @@ -3908,6 +4005,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://oaa-my.com/cage/five/PvqDq929BSx_A_D_M1n_a.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-25T02:59:37.661Z", + "threatintel.indicator.first_seen": "2020-01-25T02:59:37.661Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "oaa-my.com", @@ -3949,6 +4047,7 @@ "threatintel.anomali.pattern": "[ipv4-addr:value = '192.64.118.56']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-25T02:59:37.692Z", + "threatintel.indicator.first_seen": "2020-01-25T02:59:37.692Z", "threatintel.indicator.ip": "192.64.118.56", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "ipv4-addr" @@ -3985,6 +4084,7 @@ "threatintel.anomali.pattern": "[url:value = 'http://insuncos.com/files3/panel/admin.php']", "threatintel.anomali.type": "indicator", "threatintel.anomali.valid_from": "2020-01-25T02:59:54.296Z", + "threatintel.indicator.first_seen": "2020-01-25T02:59:54.296Z", "threatintel.indicator.provider": "CyberCrime", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "insuncos.com", diff --git a/x-pack/filebeat/module/threatintel/anomalithreatstream/test/generated.log-expected.json b/x-pack/filebeat/module/threatintel/anomalithreatstream/test/generated.log-expected.json index fa19350c1b26..21c627dde57d 100644 --- a/x-pack/filebeat/module/threatintel/anomalithreatstream/test/generated.log-expected.json +++ b/x-pack/filebeat/module/threatintel/anomalithreatstream/test/generated.log-expected.json @@ -30,16 +30,18 @@ "threatintel.anomalithreatstream.value_type": "domain", "threatintel.indicator.as.organization.name": "OVH Hosting", "threatintel.indicator.confidence": 2, - "threatintel.indicator.domain": "d4xgfj.example.net", "threatintel.indicator.first_seen": "2020-10-08T12:21:50.000Z", "threatintel.indicator.geo.country_iso_code": "FR", "threatintel.indicator.geo.location.lat": -49.1, "threatintel.indicator.geo.location.lon": 94.4, "threatintel.indicator.ip": "203.0.113.35", "threatintel.indicator.last_seen": "2020-10-08T12:24:42.000Z", - "threatintel.indicator.marking.tlp": "White", + "threatintel.indicator.marking.tlp": [ + "White" + ], "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "domain-name" + "threatintel.indicator.type": "domain-name", + "threatintel.indicator.url.domain": "d4xgfj.example.net" }, { "event.category": "threat", @@ -80,7 +82,9 @@ "threatintel.indicator.geo.location.lon": -64.7, "threatintel.indicator.ip": "2001:db8:fc77:2510:5ab8:7bc8:65a3:4894", "threatintel.indicator.last_seen": "2020-10-08T12:24:42.000Z", - "threatintel.indicator.marking.tlp": "Amber", + "threatintel.indicator.marking.tlp": [ + "Amber" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "ipv6-addr" }, @@ -123,7 +127,9 @@ "threatintel.indicator.geo.location.lon": 0.0, "threatintel.indicator.ip": "192.0.2.8", "threatintel.indicator.last_seen": "2020-10-08T12:24:42.000Z", - "threatintel.indicator.marking.tlp": "White", + "threatintel.indicator.marking.tlp": [ + "White" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "ipv4-addr" }, @@ -162,7 +168,9 @@ "threatintel.indicator.confidence": 6, "threatintel.indicator.first_seen": "2020-10-08T12:22:16.000Z", "threatintel.indicator.last_seen": "2020-10-08T12:24:42.000Z", - "threatintel.indicator.marking.tlp": "White", + "threatintel.indicator.marking.tlp": [ + "White" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "file" }, @@ -206,7 +214,9 @@ "threatintel.indicator.geo.location.lon": -129.3, "threatintel.indicator.ip": "192.0.2.235", "threatintel.indicator.last_seen": "2020-10-09T18:49:37.000Z", - "threatintel.indicator.marking.tlp": "Amber", + "threatintel.indicator.marking.tlp": [ + "Amber" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "ipv4-addr" }, @@ -249,7 +259,9 @@ "threatintel.indicator.geo.location.lon": -52.2, "threatintel.indicator.ip": "2001:db8:df14:f43b:a986:5e2a:8ce9:4523", "threatintel.indicator.last_seen": "2020-10-09T18:49:37.000Z", - "threatintel.indicator.marking.tlp": "White", + "threatintel.indicator.marking.tlp": [ + "White" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "ipv6-addr" }, @@ -294,13 +306,15 @@ "threatintel.anomalithreatstream.update_id": 1356750652, "threatintel.anomalithreatstream.value_type": "domain", "threatintel.indicator.confidence": 7, - "threatintel.indicator.domain": "ei1im6skd.example.com", "threatintel.indicator.first_seen": "2020-10-09T18:14:43.000Z", "threatintel.indicator.ip": "203.0.113.130", "threatintel.indicator.last_seen": "2020-10-09T18:14:43.000Z", - "threatintel.indicator.marking.tlp": "Amber", + "threatintel.indicator.marking.tlp": [ + "Amber" + ], "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "domain-name" + "threatintel.indicator.type": "domain-name", + "threatintel.indicator.url.domain": "ei1im6skd.example.com" }, { "event.category": "threat", @@ -336,7 +350,9 @@ "threatintel.indicator.confidence": 6, "threatintel.indicator.first_seen": "2020-10-09T18:30:10.000Z", "threatintel.indicator.last_seen": "2020-10-09T18:30:10.000Z", - "threatintel.indicator.marking.tlp": "Amber", + "threatintel.indicator.marking.tlp": [ + "Amber" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "file" }, @@ -376,7 +392,9 @@ "threatintel.indicator.geo.country_iso_code": "US", "threatintel.indicator.ip": "203.0.113.236", "threatintel.indicator.last_seen": "2020-10-09T18:30:13.000Z", - "threatintel.indicator.marking.tlp": "White", + "threatintel.indicator.marking.tlp": [ + "White" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "ax1a6o38z.example.org", @@ -423,7 +441,9 @@ "threatintel.indicator.geo.country_iso_code": "CN", "threatintel.indicator.ip": "2001:db8:62cc:2fd2:f406:9c03:e2e8:617d", "threatintel.indicator.last_seen": "2020-10-09T18:30:13.000Z", - "threatintel.indicator.marking.tlp": "White", + "threatintel.indicator.marking.tlp": [ + "White" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "beko3.example.com", @@ -468,7 +488,9 @@ "threatintel.indicator.confidence": 1, "threatintel.indicator.first_seen": "2020-10-09T18:30:22.000Z", "threatintel.indicator.last_seen": "2020-10-09T18:30:22.000Z", - "threatintel.indicator.marking.tlp": "White", + "threatintel.indicator.marking.tlp": [ + "White" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "file" }, @@ -508,7 +530,9 @@ "threatintel.indicator.confidence": 6, "threatintel.indicator.first_seen": "2020-10-09T18:30:23.000Z", "threatintel.indicator.last_seen": "2020-10-09T18:30:23.000Z", - "threatintel.indicator.marking.tlp": "Amber", + "threatintel.indicator.marking.tlp": [ + "Amber" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "file" }, @@ -548,7 +572,9 @@ "threatintel.indicator.geo.country_iso_code": "US", "threatintel.indicator.ip": "192.0.2.162", "threatintel.indicator.last_seen": "2020-10-09T18:30:30.000Z", - "threatintel.indicator.marking.tlp": "Amber", + "threatintel.indicator.marking.tlp": [ + "Amber" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "sevs82.example.com", @@ -594,7 +620,9 @@ "threatintel.indicator.confidence": 2, "threatintel.indicator.first_seen": "2020-10-09T18:30:37.000Z", "threatintel.indicator.last_seen": "2020-10-09T18:30:37.000Z", - "threatintel.indicator.marking.tlp": "Amber", + "threatintel.indicator.marking.tlp": [ + "Amber" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "file" }, @@ -632,7 +660,9 @@ "threatintel.indicator.confidence": 5, "threatintel.indicator.first_seen": "2020-10-09T18:30:40.000Z", "threatintel.indicator.last_seen": "2020-10-09T18:30:40.000Z", - "threatintel.indicator.marking.tlp": "Amber", + "threatintel.indicator.marking.tlp": [ + "Amber" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "file" }, @@ -671,7 +701,9 @@ "threatintel.indicator.confidence": 8, "threatintel.indicator.first_seen": "2020-10-09T18:30:45.000Z", "threatintel.indicator.last_seen": "2020-10-09T18:30:45.000Z", - "threatintel.indicator.marking.tlp": "White", + "threatintel.indicator.marking.tlp": [ + "White" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "file" }, @@ -712,7 +744,9 @@ "threatintel.indicator.confidence": 0, "threatintel.indicator.first_seen": "2020-10-09T18:30:54.000Z", "threatintel.indicator.last_seen": "2020-10-09T18:30:54.000Z", - "threatintel.indicator.marking.tlp": "Amber", + "threatintel.indicator.marking.tlp": [ + "Amber" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "file" }, @@ -752,7 +786,9 @@ "threatintel.indicator.confidence": 3, "threatintel.indicator.first_seen": "2020-10-09T18:30:59.000Z", "threatintel.indicator.last_seen": "2020-10-09T18:30:59.000Z", - "threatintel.indicator.marking.tlp": "Amber", + "threatintel.indicator.marking.tlp": [ + "Amber" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "file" }, @@ -790,7 +826,9 @@ "threatintel.indicator.confidence": 2, "threatintel.indicator.first_seen": "2020-10-09T18:31:10.000Z", "threatintel.indicator.last_seen": "2020-10-09T18:31:10.000Z", - "threatintel.indicator.marking.tlp": "Amber", + "threatintel.indicator.marking.tlp": [ + "Amber" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "file" }, @@ -830,7 +868,9 @@ "threatintel.indicator.confidence": 6, "threatintel.indicator.first_seen": "2020-10-09T18:31:16.000Z", "threatintel.indicator.last_seen": "2020-10-09T18:31:16.000Z", - "threatintel.indicator.marking.tlp": "White", + "threatintel.indicator.marking.tlp": [ + "White" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "file" }, @@ -869,7 +909,9 @@ "threatintel.indicator.confidence": 1, "threatintel.indicator.first_seen": "2020-10-09T18:31:22.000Z", "threatintel.indicator.last_seen": "2020-10-09T18:31:22.000Z", - "threatintel.indicator.marking.tlp": "White", + "threatintel.indicator.marking.tlp": [ + "White" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "file" }, @@ -912,7 +954,9 @@ "threatintel.indicator.confidence": 5, "threatintel.indicator.first_seen": "2020-10-09T18:31:27.000Z", "threatintel.indicator.last_seen": "2020-10-09T18:31:27.000Z", - "threatintel.indicator.marking.tlp": "Amber", + "threatintel.indicator.marking.tlp": [ + "Amber" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "file" }, @@ -949,7 +993,9 @@ "threatintel.anomalithreatstream.value_type": "md5", "threatintel.indicator.first_seen": "2020-10-09T18:31:29.000Z", "threatintel.indicator.last_seen": "2020-10-09T18:31:29.000Z", - "threatintel.indicator.marking.tlp": "White", + "threatintel.indicator.marking.tlp": [ + "White" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "file" }, @@ -988,7 +1034,9 @@ "threatintel.indicator.geo.country_iso_code": "US", "threatintel.indicator.ip": "203.0.113.229", "threatintel.indicator.last_seen": "2020-10-09T18:31:34.000Z", - "threatintel.indicator.marking.tlp": "White", + "threatintel.indicator.marking.tlp": [ + "White" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "faahk3drf.example.net", @@ -1033,7 +1081,9 @@ "threatintel.indicator.confidence": 7, "threatintel.indicator.first_seen": "2020-10-09T18:31:36.000Z", "threatintel.indicator.last_seen": "2020-10-09T18:31:36.000Z", - "threatintel.indicator.marking.tlp": "White", + "threatintel.indicator.marking.tlp": [ + "White" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "file" }, @@ -1073,7 +1123,9 @@ "threatintel.indicator.confidence": 7, "threatintel.indicator.first_seen": "2020-10-09T18:31:39.000Z", "threatintel.indicator.last_seen": "2020-10-09T18:31:39.000Z", - "threatintel.indicator.marking.tlp": "White", + "threatintel.indicator.marking.tlp": [ + "White" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "file" }, @@ -1112,7 +1164,9 @@ "threatintel.indicator.confidence": 2, "threatintel.indicator.first_seen": "2020-10-09T18:31:43.000Z", "threatintel.indicator.last_seen": "2020-10-09T18:31:43.000Z", - "threatintel.indicator.marking.tlp": "Amber", + "threatintel.indicator.marking.tlp": [ + "Amber" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "file" }, @@ -1152,7 +1206,9 @@ "threatintel.indicator.geo.country_iso_code": "DE", "threatintel.indicator.ip": "192.0.2.219", "threatintel.indicator.last_seen": "2020-10-09T18:31:49.000Z", - "threatintel.indicator.marking.tlp": "White", + "threatintel.indicator.marking.tlp": [ + "White" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "ipv4-addr" }, @@ -1191,7 +1247,9 @@ "threatintel.indicator.geo.country_iso_code": "US", "threatintel.indicator.ip": "192.0.2.208", "threatintel.indicator.last_seen": "2020-10-09T18:31:49.000Z", - "threatintel.indicator.marking.tlp": "White", + "threatintel.indicator.marking.tlp": [ + "White" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "p9okf0.example.org", @@ -1237,7 +1295,9 @@ "threatintel.indicator.geo.country_iso_code": "US", "threatintel.indicator.ip": "203.0.113.105", "threatintel.indicator.last_seen": "2020-10-09T18:31:58.000Z", - "threatintel.indicator.marking.tlp": "Amber", + "threatintel.indicator.marking.tlp": [ + "Amber" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "fxkeo24m.example.com", @@ -1283,7 +1343,9 @@ "threatintel.indicator.confidence": 1, "threatintel.indicator.first_seen": "2020-10-09T18:32:02.000Z", "threatintel.indicator.last_seen": "2020-10-09T18:32:02.000Z", - "threatintel.indicator.marking.tlp": "White", + "threatintel.indicator.marking.tlp": [ + "White" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "file" }, @@ -1322,7 +1384,9 @@ "threatintel.indicator.confidence": 9, "threatintel.indicator.first_seen": "2020-10-09T18:32:03.000Z", "threatintel.indicator.last_seen": "2020-10-09T18:32:03.000Z", - "threatintel.indicator.marking.tlp": "White", + "threatintel.indicator.marking.tlp": [ + "White" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "file" }, @@ -1362,7 +1426,9 @@ "threatintel.indicator.confidence": 3, "threatintel.indicator.first_seen": "2020-10-09T18:32:04.000Z", "threatintel.indicator.last_seen": "2020-10-09T18:32:04.000Z", - "threatintel.indicator.marking.tlp": "Amber", + "threatintel.indicator.marking.tlp": [ + "Amber" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "file" }, @@ -1401,7 +1467,9 @@ "threatintel.indicator.confidence": 5, "threatintel.indicator.first_seen": "2020-10-09T18:32:08.000Z", "threatintel.indicator.last_seen": "2020-10-09T18:32:08.000Z", - "threatintel.indicator.marking.tlp": "White", + "threatintel.indicator.marking.tlp": [ + "White" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "file" }, @@ -1441,7 +1509,9 @@ "threatintel.indicator.confidence": 5, "threatintel.indicator.first_seen": "2020-10-09T18:32:11.000Z", "threatintel.indicator.last_seen": "2020-10-09T18:32:11.000Z", - "threatintel.indicator.marking.tlp": "White", + "threatintel.indicator.marking.tlp": [ + "White" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "file" }, @@ -1480,7 +1550,9 @@ "threatintel.indicator.confidence": 1, "threatintel.indicator.first_seen": "2020-10-09T18:32:19.000Z", "threatintel.indicator.last_seen": "2020-10-09T18:32:19.000Z", - "threatintel.indicator.marking.tlp": "Amber", + "threatintel.indicator.marking.tlp": [ + "Amber" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "file" }, @@ -1519,7 +1591,9 @@ "threatintel.indicator.geo.country_iso_code": "CN", "threatintel.indicator.ip": "2001:db8:b94f:43d3:f1ef:8964:c8e3:48d4", "threatintel.indicator.last_seen": "2020-10-09T18:32:30.000Z", - "threatintel.indicator.marking.tlp": "White", + "threatintel.indicator.marking.tlp": [ + "White" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "ipv6-addr" }, @@ -1558,7 +1632,9 @@ "threatintel.indicator.confidence": 6, "threatintel.indicator.first_seen": "2020-10-09T18:32:35.000Z", "threatintel.indicator.last_seen": "2020-10-09T18:32:35.000Z", - "threatintel.indicator.marking.tlp": "Amber", + "threatintel.indicator.marking.tlp": [ + "Amber" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "file" }, @@ -1598,7 +1674,9 @@ "threatintel.indicator.geo.country_iso_code": "US", "threatintel.indicator.ip": "203.0.113.16", "threatintel.indicator.last_seen": "2020-10-09T18:33:10.000Z", - "threatintel.indicator.marking.tlp": "Amber", + "threatintel.indicator.marking.tlp": [ + "Amber" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "ke4ffyj5.example.com", @@ -1643,7 +1721,9 @@ "threatintel.indicator.confidence": 4, "threatintel.indicator.first_seen": "2020-10-09T18:33:13.000Z", "threatintel.indicator.last_seen": "2020-10-09T18:33:13.000Z", - "threatintel.indicator.marking.tlp": "White", + "threatintel.indicator.marking.tlp": [ + "White" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "file" }, @@ -1682,7 +1762,9 @@ "threatintel.indicator.confidence": 3, "threatintel.indicator.first_seen": "2020-10-09T18:33:14.000Z", "threatintel.indicator.last_seen": "2020-10-09T18:33:14.000Z", - "threatintel.indicator.marking.tlp": "White", + "threatintel.indicator.marking.tlp": [ + "White" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "file" }, @@ -1720,7 +1802,9 @@ "threatintel.indicator.confidence": 6, "threatintel.indicator.first_seen": "2020-10-09T18:33:14.000Z", "threatintel.indicator.last_seen": "2020-10-09T18:33:14.000Z", - "threatintel.indicator.marking.tlp": "Amber", + "threatintel.indicator.marking.tlp": [ + "Amber" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "file" }, @@ -1760,7 +1844,9 @@ "threatintel.indicator.geo.country_iso_code": "US", "threatintel.indicator.ip": "192.0.2.154", "threatintel.indicator.last_seen": "2020-10-09T18:33:22.000Z", - "threatintel.indicator.marking.tlp": "White", + "threatintel.indicator.marking.tlp": [ + "White" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "rl27d.example.net", @@ -1805,7 +1891,9 @@ "threatintel.indicator.confidence": 5, "threatintel.indicator.first_seen": "2020-10-09T18:33:24.000Z", "threatintel.indicator.last_seen": "2020-10-09T18:33:24.000Z", - "threatintel.indicator.marking.tlp": "White", + "threatintel.indicator.marking.tlp": [ + "White" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "file" }, @@ -1845,7 +1933,9 @@ "threatintel.indicator.geo.country_iso_code": "US", "threatintel.indicator.ip": "203.0.113.228", "threatintel.indicator.last_seen": "2020-10-09T18:33:26.000Z", - "threatintel.indicator.marking.tlp": "Amber", + "threatintel.indicator.marking.tlp": [ + "Amber" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "6ygk0y.example.com", @@ -1890,7 +1980,9 @@ "threatintel.indicator.geo.country_iso_code": "US", "threatintel.indicator.ip": "203.0.113.38", "threatintel.indicator.last_seen": "2020-10-09T18:33:27.000Z", - "threatintel.indicator.marking.tlp": "Amber", + "threatintel.indicator.marking.tlp": [ + "Amber" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "rcsr9o.example.net", @@ -1936,7 +2028,9 @@ "threatintel.anomalithreatstream.value_type": "md5", "threatintel.indicator.first_seen": "2020-10-09T18:33:29.000Z", "threatintel.indicator.last_seen": "2020-10-09T18:33:29.000Z", - "threatintel.indicator.marking.tlp": "Amber", + "threatintel.indicator.marking.tlp": [ + "Amber" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "file" }, @@ -1976,7 +2070,9 @@ "threatintel.indicator.confidence": 5, "threatintel.indicator.first_seen": "2020-10-09T18:33:43.000Z", "threatintel.indicator.last_seen": "2020-10-09T18:33:43.000Z", - "threatintel.indicator.marking.tlp": "Amber", + "threatintel.indicator.marking.tlp": [ + "Amber" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "file" }, @@ -2017,7 +2113,9 @@ "threatintel.indicator.confidence": 6, "threatintel.indicator.first_seen": "2020-10-09T18:33:45.000Z", "threatintel.indicator.last_seen": "2020-10-09T18:33:45.000Z", - "threatintel.indicator.marking.tlp": "White", + "threatintel.indicator.marking.tlp": [ + "White" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "file" }, @@ -2055,7 +2153,9 @@ "threatintel.indicator.confidence": 8, "threatintel.indicator.first_seen": "2020-10-09T18:33:45.000Z", "threatintel.indicator.last_seen": "2020-10-09T18:33:45.000Z", - "threatintel.indicator.marking.tlp": "Amber", + "threatintel.indicator.marking.tlp": [ + "Amber" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "file" }, @@ -2095,7 +2195,9 @@ "threatintel.indicator.geo.country_iso_code": "US", "threatintel.indicator.ip": "192.0.2.115", "threatintel.indicator.last_seen": "2020-10-09T18:33:48.000Z", - "threatintel.indicator.marking.tlp": "White", + "threatintel.indicator.marking.tlp": [ + "White" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "cc7d.example.com", @@ -2141,7 +2243,9 @@ "threatintel.indicator.confidence": 4, "threatintel.indicator.first_seen": "2020-10-09T18:33:51.000Z", "threatintel.indicator.last_seen": "2020-10-09T18:33:51.000Z", - "threatintel.indicator.marking.tlp": "Amber", + "threatintel.indicator.marking.tlp": [ + "Amber" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "file" }, @@ -2181,7 +2285,9 @@ "threatintel.indicator.geo.country_iso_code": "VN", "threatintel.indicator.ip": "192.0.2.61", "threatintel.indicator.last_seen": "2020-10-09T18:33:57.000Z", - "threatintel.indicator.marking.tlp": "Amber", + "threatintel.indicator.marking.tlp": [ + "Amber" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "ipv4-addr" }, @@ -2220,7 +2326,9 @@ "threatintel.indicator.geo.country_iso_code": "DE", "threatintel.indicator.ip": "192.0.2.233", "threatintel.indicator.last_seen": "2020-10-09T18:34:00.000Z", - "threatintel.indicator.marking.tlp": "White", + "threatintel.indicator.marking.tlp": [ + "White" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "ipv4-addr" }, @@ -2259,7 +2367,9 @@ "threatintel.indicator.geo.country_iso_code": "US", "threatintel.indicator.ip": "2001:db8:9850:9607:e204:423b:cade:837e", "threatintel.indicator.last_seen": "2020-10-09T18:34:00.000Z", - "threatintel.indicator.marking.tlp": "Amber", + "threatintel.indicator.marking.tlp": [ + "Amber" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "v9aqrp81q.example.net", @@ -2303,7 +2413,9 @@ "threatintel.indicator.geo.country_iso_code": "IN", "threatintel.indicator.ip": "192.0.2.234", "threatintel.indicator.last_seen": "2020-10-09T18:34:00.000Z", - "threatintel.indicator.marking.tlp": "White", + "threatintel.indicator.marking.tlp": [ + "White" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "ipv4-addr" }, @@ -2343,7 +2455,9 @@ "threatintel.indicator.confidence": 10, "threatintel.indicator.first_seen": "2020-10-09T18:34:02.000Z", "threatintel.indicator.last_seen": "2020-10-09T18:34:02.000Z", - "threatintel.indicator.marking.tlp": "Amber", + "threatintel.indicator.marking.tlp": [ + "Amber" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "file" }, @@ -2384,7 +2498,9 @@ "threatintel.indicator.confidence": 1, "threatintel.indicator.first_seen": "2020-10-09T18:34:05.000Z", "threatintel.indicator.last_seen": "2020-10-09T18:34:05.000Z", - "threatintel.indicator.marking.tlp": "Amber", + "threatintel.indicator.marking.tlp": [ + "Amber" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "file" }, @@ -2422,7 +2538,9 @@ "threatintel.indicator.confidence": 2, "threatintel.indicator.first_seen": "2020-10-09T18:34:11.000Z", "threatintel.indicator.last_seen": "2020-10-09T18:34:11.000Z", - "threatintel.indicator.marking.tlp": "Amber", + "threatintel.indicator.marking.tlp": [ + "Amber" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "file" }, @@ -2461,7 +2579,9 @@ "threatintel.indicator.confidence": 5, "threatintel.indicator.first_seen": "2020-10-09T18:34:12.000Z", "threatintel.indicator.last_seen": "2020-10-09T18:34:12.000Z", - "threatintel.indicator.marking.tlp": "White", + "threatintel.indicator.marking.tlp": [ + "White" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "file" }, @@ -2499,7 +2619,9 @@ "threatintel.indicator.geo.country_iso_code": "US", "threatintel.indicator.ip": "203.0.113.83", "threatintel.indicator.last_seen": "2020-10-09T18:34:17.000Z", - "threatintel.indicator.marking.tlp": "White", + "threatintel.indicator.marking.tlp": [ + "White" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "o4kqv8b8.example.net", @@ -2546,7 +2668,9 @@ "threatintel.indicator.confidence": 9, "threatintel.indicator.first_seen": "2020-10-09T18:34:20.000Z", "threatintel.indicator.last_seen": "2020-10-09T18:34:20.000Z", - "threatintel.indicator.marking.tlp": "Amber", + "threatintel.indicator.marking.tlp": [ + "Amber" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "file" }, @@ -2586,7 +2710,9 @@ "threatintel.indicator.confidence": 3, "threatintel.indicator.first_seen": "2020-10-09T18:34:20.000Z", "threatintel.indicator.last_seen": "2020-10-09T18:34:20.000Z", - "threatintel.indicator.marking.tlp": "White", + "threatintel.indicator.marking.tlp": [ + "White" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "file" }, @@ -2627,7 +2753,9 @@ "threatintel.indicator.confidence": 0, "threatintel.indicator.first_seen": "2020-10-09T18:34:32.000Z", "threatintel.indicator.last_seen": "2020-10-09T18:34:32.000Z", - "threatintel.indicator.marking.tlp": "White", + "threatintel.indicator.marking.tlp": [ + "White" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "file" }, @@ -2665,7 +2793,9 @@ "threatintel.indicator.confidence": 1, "threatintel.indicator.first_seen": "2020-10-09T18:34:32.000Z", "threatintel.indicator.last_seen": "2020-10-09T18:34:32.000Z", - "threatintel.indicator.marking.tlp": "Amber", + "threatintel.indicator.marking.tlp": [ + "Amber" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "file" }, @@ -2702,7 +2832,9 @@ "threatintel.anomalithreatstream.value_type": "md5", "threatintel.indicator.first_seen": "2020-10-09T18:34:39.000Z", "threatintel.indicator.last_seen": "2020-10-09T18:34:39.000Z", - "threatintel.indicator.marking.tlp": "White", + "threatintel.indicator.marking.tlp": [ + "White" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "file" }, @@ -2741,7 +2873,9 @@ "threatintel.indicator.confidence": 5, "threatintel.indicator.first_seen": "2020-10-09T18:34:40.000Z", "threatintel.indicator.last_seen": "2020-10-09T18:34:40.000Z", - "threatintel.indicator.marking.tlp": "Amber", + "threatintel.indicator.marking.tlp": [ + "Amber" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "file" }, @@ -2780,7 +2914,9 @@ "threatintel.indicator.geo.country_iso_code": "VN", "threatintel.indicator.ip": "192.0.2.88", "threatintel.indicator.last_seen": "2020-10-09T18:34:41.000Z", - "threatintel.indicator.marking.tlp": "White", + "threatintel.indicator.marking.tlp": [ + "White" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "ipv4-addr" }, @@ -2820,7 +2956,9 @@ "threatintel.indicator.geo.country_iso_code": "US", "threatintel.indicator.ip": "203.0.113.111", "threatintel.indicator.last_seen": "2020-10-09T18:34:43.000Z", - "threatintel.indicator.marking.tlp": "White", + "threatintel.indicator.marking.tlp": [ + "White" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "91p0p.example.com", @@ -2864,7 +3002,9 @@ "threatintel.indicator.confidence": 7, "threatintel.indicator.first_seen": "2020-10-09T18:34:48.000Z", "threatintel.indicator.last_seen": "2020-10-09T18:34:48.000Z", - "threatintel.indicator.marking.tlp": "White", + "threatintel.indicator.marking.tlp": [ + "White" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "file" }, @@ -2902,7 +3042,9 @@ "threatintel.indicator.confidence": 2, "threatintel.indicator.first_seen": "2020-10-09T18:34:53.000Z", "threatintel.indicator.last_seen": "2020-10-09T18:34:53.000Z", - "threatintel.indicator.marking.tlp": "White", + "threatintel.indicator.marking.tlp": [ + "White" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "file" }, @@ -2941,7 +3083,9 @@ "threatintel.indicator.confidence": 2, "threatintel.indicator.first_seen": "2020-10-09T18:34:53.000Z", "threatintel.indicator.last_seen": "2020-10-09T18:34:53.000Z", - "threatintel.indicator.marking.tlp": "Amber", + "threatintel.indicator.marking.tlp": [ + "Amber" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "file" }, @@ -2980,7 +3124,9 @@ "threatintel.indicator.geo.country_iso_code": "US", "threatintel.indicator.ip": "203.0.113.133", "threatintel.indicator.last_seen": "2020-10-09T18:34:54.000Z", - "threatintel.indicator.marking.tlp": "White", + "threatintel.indicator.marking.tlp": [ + "White" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "lzr6.example.org", @@ -3024,7 +3170,9 @@ "threatintel.indicator.confidence": 8, "threatintel.indicator.first_seen": "2020-10-09T18:34:55.000Z", "threatintel.indicator.last_seen": "2020-10-09T18:34:55.000Z", - "threatintel.indicator.marking.tlp": "White", + "threatintel.indicator.marking.tlp": [ + "White" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "file" }, @@ -3062,7 +3210,9 @@ "threatintel.indicator.confidence": 5, "threatintel.indicator.first_seen": "2020-10-09T18:35:01.000Z", "threatintel.indicator.last_seen": "2020-10-09T18:35:01.000Z", - "threatintel.indicator.marking.tlp": "Amber", + "threatintel.indicator.marking.tlp": [ + "Amber" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "file" }, @@ -3102,7 +3252,9 @@ "threatintel.indicator.confidence": 6, "threatintel.indicator.first_seen": "2020-10-09T18:35:01.000Z", "threatintel.indicator.last_seen": "2020-10-09T18:35:01.000Z", - "threatintel.indicator.marking.tlp": "White", + "threatintel.indicator.marking.tlp": [ + "White" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "file" }, @@ -3141,7 +3293,9 @@ "threatintel.indicator.geo.country_iso_code": "US", "threatintel.indicator.ip": "203.0.113.177", "threatintel.indicator.last_seen": "2020-10-09T18:35:04.000Z", - "threatintel.indicator.marking.tlp": "White", + "threatintel.indicator.marking.tlp": [ + "White" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "932.example.com", @@ -3186,7 +3340,9 @@ "threatintel.indicator.confidence": 3, "threatintel.indicator.first_seen": "2020-10-09T18:35:06.000Z", "threatintel.indicator.last_seen": "2020-10-09T18:35:06.000Z", - "threatintel.indicator.marking.tlp": "White", + "threatintel.indicator.marking.tlp": [ + "White" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "file" }, @@ -3225,7 +3381,9 @@ "threatintel.indicator.confidence": 5, "threatintel.indicator.first_seen": "2020-10-09T18:35:22.000Z", "threatintel.indicator.last_seen": "2020-10-09T18:35:22.000Z", - "threatintel.indicator.marking.tlp": "White", + "threatintel.indicator.marking.tlp": [ + "White" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "file" }, @@ -3270,7 +3428,9 @@ "threatintel.indicator.geo.country_iso_code": "US", "threatintel.indicator.ip": "203.0.113.71", "threatintel.indicator.last_seen": "2020-10-09T18:44:01.000Z", - "threatintel.indicator.marking.tlp": "Amber", + "threatintel.indicator.marking.tlp": [ + "Amber" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "0te9x75e.example.net", @@ -3317,7 +3477,9 @@ "threatintel.indicator.geo.country_iso_code": "US", "threatintel.indicator.ip": "203.0.113.180", "threatintel.indicator.last_seen": "2020-10-09T18:44:04.000Z", - "threatintel.indicator.marking.tlp": "Amber", + "threatintel.indicator.marking.tlp": [ + "Amber" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "b7qdtnl8f.example.org", @@ -3360,12 +3522,14 @@ "threatintel.anomalithreatstream.update_id": 1826833096, "threatintel.anomalithreatstream.value_type": "domain", "threatintel.indicator.confidence": 2, - "threatintel.indicator.domain": "4gtq1n.example.net", "threatintel.indicator.first_seen": "2020-10-09T18:44:19.000Z", "threatintel.indicator.last_seen": "2020-10-09T18:44:19.000Z", - "threatintel.indicator.marking.tlp": "Amber", + "threatintel.indicator.marking.tlp": [ + "Amber" + ], "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "domain-name" + "threatintel.indicator.type": "domain-name", + "threatintel.indicator.url.domain": "4gtq1n.example.net" }, { "event.category": "threat", @@ -3408,7 +3572,9 @@ "threatintel.indicator.geo.country_iso_code": "RU", "threatintel.indicator.ip": "192.0.2.17", "threatintel.indicator.last_seen": "2020-10-09T18:44:27.000Z", - "threatintel.indicator.marking.tlp": "White", + "threatintel.indicator.marking.tlp": [ + "White" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "ipv4-addr" }, @@ -3448,7 +3614,9 @@ "threatintel.indicator.geo.country_iso_code": "US", "threatintel.indicator.ip": "192.0.2.183", "threatintel.indicator.last_seen": "2020-10-09T18:44:35.000Z", - "threatintel.indicator.marking.tlp": "Amber", + "threatintel.indicator.marking.tlp": [ + "Amber" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "tfva.example.org", @@ -3495,7 +3663,9 @@ "threatintel.indicator.geo.country_iso_code": "US", "threatintel.indicator.ip": "203.0.113.149", "threatintel.indicator.last_seen": "2020-10-09T18:44:36.000Z", - "threatintel.indicator.marking.tlp": "White", + "threatintel.indicator.marking.tlp": [ + "White" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "erg2.example.com", @@ -3547,7 +3717,9 @@ "threatintel.indicator.geo.country_iso_code": "IN", "threatintel.indicator.ip": "203.0.113.27", "threatintel.indicator.last_seen": "2020-10-09T18:44:37.000Z", - "threatintel.indicator.marking.tlp": "Amber", + "threatintel.indicator.marking.tlp": [ + "Amber" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "0elz6c.example.com", @@ -3594,7 +3766,9 @@ "threatintel.indicator.geo.country_iso_code": "US", "threatintel.indicator.ip": "2001:db8:129e:7520:8797:95ca:a4d1:3011", "threatintel.indicator.last_seen": "2020-10-09T18:44:45.000Z", - "threatintel.indicator.marking.tlp": "White", + "threatintel.indicator.marking.tlp": [ + "White" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "6i0-utr.example.com", @@ -3645,7 +3819,9 @@ "threatintel.indicator.geo.country_iso_code": "CN", "threatintel.indicator.ip": "203.0.113.128", "threatintel.indicator.last_seen": "2020-10-09T18:44:47.000Z", - "threatintel.indicator.marking.tlp": "Amber", + "threatintel.indicator.marking.tlp": [ + "Amber" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "ipv4-addr" }, @@ -3684,14 +3860,16 @@ "threatintel.anomalithreatstream.update_id": 3315952704, "threatintel.anomalithreatstream.value_type": "domain", "threatintel.indicator.confidence": 7, - "threatintel.indicator.domain": "ztpyt.example.org", "threatintel.indicator.first_seen": "2020-10-09T18:44:50.000Z", "threatintel.indicator.geo.country_iso_code": "HK", "threatintel.indicator.ip": "203.0.113.16", "threatintel.indicator.last_seen": "2020-10-09T18:44:50.000Z", - "threatintel.indicator.marking.tlp": "White", + "threatintel.indicator.marking.tlp": [ + "White" + ], "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "domain-name" + "threatintel.indicator.type": "domain-name", + "threatintel.indicator.url.domain": "ztpyt.example.org" }, { "event.category": "threat", @@ -3732,7 +3910,9 @@ "threatintel.indicator.confidence": 9, "threatintel.indicator.first_seen": "2020-10-09T18:44:50.000Z", "threatintel.indicator.last_seen": "2020-10-09T18:44:50.000Z", - "threatintel.indicator.marking.tlp": "Amber", + "threatintel.indicator.marking.tlp": [ + "Amber" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "e5el.example.net", @@ -3777,7 +3957,9 @@ "threatintel.indicator.geo.country_iso_code": "US", "threatintel.indicator.ip": "192.0.2.226", "threatintel.indicator.last_seen": "2020-10-09T18:44:54.000Z", - "threatintel.indicator.marking.tlp": "Amber", + "threatintel.indicator.marking.tlp": [ + "Amber" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "eryz36i.example.net", @@ -3824,7 +4006,9 @@ "threatintel.indicator.geo.country_iso_code": "US", "threatintel.indicator.ip": "192.0.2.25", "threatintel.indicator.last_seen": "2020-10-09T18:44:58.000Z", - "threatintel.indicator.marking.tlp": "Amber", + "threatintel.indicator.marking.tlp": [ + "Amber" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "i-pb.example.com", @@ -3875,7 +4059,9 @@ "threatintel.indicator.geo.country_iso_code": "IN", "threatintel.indicator.ip": "2001:db8:79d3:9083:95f2:a6fd:e475:4956", "threatintel.indicator.last_seen": "2020-10-09T18:45:05.000Z", - "threatintel.indicator.marking.tlp": "White", + "threatintel.indicator.marking.tlp": [ + "White" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "ipv6-addr" }, @@ -3919,7 +4105,9 @@ "threatintel.indicator.geo.location.lon": 112.8, "threatintel.indicator.ip": "192.0.2.12", "threatintel.indicator.last_seen": "2021-04-19T08:57:46.000Z", - "threatintel.indicator.marking.tlp": "White", + "threatintel.indicator.marking.tlp": [ + "White" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "ipv4-addr" }, @@ -3956,7 +4144,9 @@ "threatintel.indicator.first_seen": "2021-04-29T16:02:17.000Z", "threatintel.indicator.ip": "203.0.113.5", "threatintel.indicator.last_seen": "2021-04-29T16:02:17.000Z", - "threatintel.indicator.marking.tlp": "Amber", + "threatintel.indicator.marking.tlp": [ + "Amber" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "ipv4-addr" }, @@ -3992,7 +4182,9 @@ "threatintel.indicator.first_seen": "2021-04-29T16:02:23.000Z", "threatintel.indicator.ip": "192.0.2.68", "threatintel.indicator.last_seen": "2021-04-29T16:02:23.000Z", - "threatintel.indicator.marking.tlp": "Amber", + "threatintel.indicator.marking.tlp": [ + "Amber" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "ipv4-addr" }, @@ -4029,7 +4221,9 @@ "threatintel.indicator.first_seen": "2021-04-29T16:02:24.000Z", "threatintel.indicator.ip": "203.0.113.54", "threatintel.indicator.last_seen": "2021-04-29T16:02:24.000Z", - "threatintel.indicator.marking.tlp": "White", + "threatintel.indicator.marking.tlp": [ + "White" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "ipv4-addr" }, @@ -4066,7 +4260,9 @@ "threatintel.indicator.first_seen": "2021-04-29T16:02:25.000Z", "threatintel.indicator.ip": "203.0.113.195", "threatintel.indicator.last_seen": "2021-04-29T16:02:25.000Z", - "threatintel.indicator.marking.tlp": "White", + "threatintel.indicator.marking.tlp": [ + "White" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "ipv4-addr" }, @@ -4104,7 +4300,9 @@ "threatintel.indicator.first_seen": "2021-04-29T16:02:25.000Z", "threatintel.indicator.ip": "192.0.2.239", "threatintel.indicator.last_seen": "2021-04-29T16:02:25.000Z", - "threatintel.indicator.marking.tlp": "Amber", + "threatintel.indicator.marking.tlp": [ + "Amber" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "ipv4-addr" }, @@ -4143,7 +4341,9 @@ "threatintel.indicator.first_seen": "2021-04-29T16:02:26.000Z", "threatintel.indicator.ip": "192.0.2.169", "threatintel.indicator.last_seen": "2021-04-29T16:02:26.000Z", - "threatintel.indicator.marking.tlp": "White", + "threatintel.indicator.marking.tlp": [ + "White" + ], "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "ipv4-addr" } diff --git a/x-pack/filebeat/module/threatintel/fields.go b/x-pack/filebeat/module/threatintel/fields.go index 1df279b7834b..38fa5d034edf 100644 --- a/x-pack/filebeat/module/threatintel/fields.go +++ b/x-pack/filebeat/module/threatintel/fields.go @@ -19,5 +19,5 @@ func init() { // AssetThreatintel returns asset data. // This is the base64 encoded zlib format compressed contents of module/threatintel. func AssetThreatintel() string { - return "eJzsfd1z2ziy7/v8FV2+D7G3JMV27OzEVXNveWxnRnUdJ+uPzNbe3FIgsiViDQIMAErRnjr/+yl8kOK3ZJvK2bO1fkkkQugfuhuNRncDHMIjrs5ARxKJplwj+wlAU82w+qVEhkThGUxRk58AQlSBpImmgp/B//4JAODe/gDsLxidIw8Q3lOGU/PtBxGmDEc/AcwoslCd2Z8MgZO4Rsv8hTgjKdMT2/oMZoQp9I/0KsEzmEuRJnnjGhjz995SgpkUMegIi1TWwOIcmPkrgisCpDykAdFCjmZUKj1RiDxvlEEKicbCly2oHKvQtgbCQ9A0RlhGyMusUyKVAYKlBxITITWGoOg80pTPQUdUFWB1IGbkhwI25F6EN/uJquFlgs+3w3uTxlOUIGYWrKpQhyVRIKYK5QJDCAQP08CDtCpMAk0XVK+6UBpENYCPuFoKGW7J01WCBuEaFlGGcRIVcsO76QouVmYYHy1UMmUIlMPd/fivcDw6HJV6u/qeYGB+tSAsRVV6BvAnIKkWXMQiVUO1Uhrjegup6YwEuvYgpBIDLeSq/kTEhPKh4U3tGcaEsiEJQ1l7NKOs3p4mi5Pm5jRZvG1+EpOg5UGq8Xvt20SKAFWdN0rM9JLIOqZUsvp3CuWQBIFIeZ1VS8pDsVRDiXOqtFwNH7HOte/D08N3wwANv43ksUPNCvrzMm27tI+mdi6g7cDontF0wbMp4HRubSo7Z2lAOEc5UZrol8zUC8NHA+X88+ury1tYIA+FNCiJBpUGRmCzlLEVhKidhseE0YCKVFlFAiHh4fa6C2sixYKGKF/GwXGI3EjMs9AQsQYmwrIdzKh1IQoEn9HQNO8V07pbkMRaNKIUnfO1YDNwkCrz2NqSwq9UQBiqp1mWG6HhLsHAwAgHcCM4DuBaLAfwAUOaxgP4nc6j2s8Oh0eHtS/Pw5hKwqhewZ2BAvtHw7cHtWaXN+Ps+enw3Wm9wR9Xn7IG4zgRSlFjPIdwgVITyg86ROMcgp2oinJcCrzT4ValkGgCVEEgYiMR4610aY5prlDvFp8nsnadGhb6LpA0qeErfbUdNJKtx6UVknAYfwJj9VEp2KdSosGt6cKOwS1WVPCDTi7ahas3JrYg9evjc0EaF+oFlnULfIYCcOcrPROkXeZHXhy7Zih3XsVLpR8T+Uj5fKRZXU+f5sJJMjPz5dq4rPBJCi0CwUBFRJq57Ol021MgEs/qBiyiuu6P/CbLbrz79tzIr/btLYadLNBBhGFt+MVtFTRsiNZ9ES1iGpTItnGwk4c1a+Q6LkjeugIeMBBgIiAMkC+oFDxGrgF5mAhq3AgJHPVSyEfABXI9asBtR7QD2LbfzCHY8Rgqm4++hpB5hTsbQV0PSd1mbK+CznI1MKJiJCtceOD0W4qZ3SPMDMXMRy3cyPOdErid0shuf2tf54bz/O6m6oGklgRbAV1zGEkQ5YwR3NIac42Soy5bCPxO4oThGRydHr191zBwIeeE038QM55RbffVrgx0zoXECZmKhen98Pik9DhOmaaTOr8Lioffq5seR63hARcyVuXQTYMwPhaGYom0sOI3IeYM4fr6okObsm3XC3TKuD4jpWUlAPECrnbOwAvBtZk8NpyylNQ67Y68pVhZOwA+iSRlVl3dgkikJKvGn1vH0ut0xpgRvBcSjOtf24H7X2UtHXXYv736bXL3twGYf6/++un85nJy97eDgfNdVSRSFsIUC0iorvr6gqPv3ZPHb6lxJJX1OR1Z8zNL48PD9f3YUrQUsk4Zg2kV8YJIaoMiDPlcR65znsYovQs7MBvIyDDK9Hz5x8fbSxvAMp/+Yj6VhlHpfYqQ5Ly28AwjQwxoTNg6TuMUdx9Hc/i6d7T39aBFf1/9v72Lsy9Sky8Sw4nWyZcp5V/iFUmSEX7Hvf//qkEZE1JhZj9K+D5lzPY9AMoDloZGAhFd4MB0bVlkfZPmkfz+f68/fLn7+P7+j/Pbqy8faCCFEjP95Q8X+4Cb+y8XqZTI9WeUigr+ZRyTuYsFw9V3DNJKNMP8fbTQ1Jcl5WZohiVfLnGazuclA58xpg6vH87cFDb1loadVBp5i1Q7IFYjP/0AvM2mpxFUmQt1czhH8QJLGFC9mvS3uJSGcWF2+B3W/oPgWiJhTbAE15Qj17vCVtSBnFgLzhshdQTn1uSQRrAp13I1oUpMAhHuhJWOBIzvPoIh0YL04rwD3q6k7KF1CPqCcBI2cc46ZVU74VUYxcR6mu2UrwWfU52GLmHBiLYf2kzzf8AeE3zvDIZ/fjN6e3Ty85vDAewxovfO4OR0dHp4+u7oZ/jPJgttlkvBdynfW0ths3iHf7lox7cjAXtsHfL9S4pTDDps1IwyHCU4onESERVtsR/vBFiC9+ocTJ95lDZOhNQKKAcCn65s9HgE5xw8bRgOzd7FNYMKGjBPA8KNX5Aqt1uYUT5HmUiz6ZlSTqR18xfIgcw0SpAYiDihzPkIQoLQEUorxiHDBZaTC1oSrmZCxra5gogsEEQQmLU0HMAyokEES+twBRHhc4RYSDQ/C6n5BWFutC6sUJbHNRLJXXuiIdI6UWevXy+Xy9GMSsQVjgIRv54yMX/tAi9D490QGUSvjw+PTl4fHr3WkgSPlM+HMWFLInHo+DQ0NI1rF+mYjYpTJNeBw+Dtz4dvghN8d3x8ZP4TBuT03ds3hIRv3obhbIN2vGAJq8mwuYOmLgp7HqaqHm377Nng7rtMqhnVK5Upmul/AHQGZEEoMw7tqBGHUiFishMkrmvLrm2QxOHpTmDE4enWGFREjnbDi4gcPQXF8enbXeE4Pn37FCRvfj7ZFZI3P588Bcnp0fGukJweHW9A8owg2Ut28Bk8230TDkX/0YSjO0bVRuWVAi00YbbXJmpPWOm3JVhd3jNS+F0jV80+2kvo5f02EY1pjJO+4p8Foh/GH64qIqwvR+V6gCeHlqpJp2fjvnR5Je/XpJKtIx17ZlFHRpSmwSgQe30I7uXTA5mts9GE8ixaznCNY51oFJLOKbcBlm8pKt2AfibJPMaK978b8J+EdK5bzmjv2ZlPX//X1wLbtUgaeT1LGetD5OOZ7Qoebq9tysh7D4Rr44muRCqNWwoBUTgw8FaF4JzSQmLV6lIOX1PJRqbXr8a9ROuc2oCYExhV1oPlSktXHCIk+KiX+bXhgY3vVzqupoeLYWsn3D748cBjEdqSg7XOWPkoUGhL09YAGyCZvxuh0aU1KM8D87HgVAtJ+XzgFDIrE3u4vYaYrGywMxeF5ZtEUq2KMFsMW7oCTMyV68l0QBWImUYOf09dlVxe7OXysURHVZT3JYHE6CWe/zbvmyigulTaNgCz/2CobZEMF425pIQoVWP9jqaTJ5XNJz/Hm1FtHfncQFJHFXKFSfva7XEaJ24l+966bLsd25kPZD/NtrQiOzl504TpW4pyF1HFJqNtaXnFC0vFY+6JD9w3jaDSm+H0t1/8mtTA8Yzi1//z1ag4fg9YGmK4XhSKBEfGEhKr8PmCwoX5rZ1ltSI+ah8XBmM7sC3NM2KpTlOdtxoUSLrR43eqdHWG24yALUhI9BqbHYZr/9X3UYkZhHQ2Q4lcU6IRpqiX9ZS+zcUuhTXmqkkPXJIGJYaT/pwKgz2i8witZcoIWKPqiAzsMJME8wms0ql7VBXneyGz/f+gkICyHfqimJmQsDcTYuTbjQIR7xmR7BW/aLSGLjLvGRuiRhlTjqFZnAKqkK28dIBRpYHRR3S1b+mU0QBUOpvRanGobbkfaZ2cvX7tGrp2IyHnByO4lyubkhNAkkSK7zQm2hdwTVegaJywFWjyWDUBTpi2JtpIlJEpMuXyWVxosEvOEhmz7Li/vlRr4xSIUfrYaJpUEOFO4nlVlbizhNrtpw0kNUPMNOMHWaucnrXb3mdz6/QKvqWEOVfBt7EFby71VStoJIxlAzbNrD3CxC2zkVDa/TjloXcDa3NxBDDmdjGXmhLGqgXAVTQDG3Sc+bpbzJ678DfYOGEGyLodln5AOBdVz6s0GwYFnuSWsja4KTKxbJ6hHXO6PPmLLHfbD6L0KF75bpweu5lNlK5NaWeOM9FERLk6hMQmdhdmuojZmlhB+1Q6PR6pdHpUMiGDhvm3huosuneNPVsKPe0NnOngArQklJk5n6CkImyMMIhkYiE+zQq/VNdxNvMVb1okXkGySkO8v748GABhSsAjF0tuOLVmb9VVtyZuYGSTmymjtpmOFKbLqG7Tq9Qrnc/W7Y1grAL8i5l0a87brPlaTNva9VSh3FGmprZ98qRaXfF68OP76eG7F0Q/FEpK2KS1ZuulI/RVXY5MVptFlUrXxe+FIxdAUh0JSbUviTHbXGP+eLCqGhBrmnMVNT4jSyLi60wGZs+13mm7zUBWMSJSDYFgwhheHkKaJCiNT1chEEREkkCjVC1JtNPT97/++u7iz5dXv74/fPfz4bvLo+OLi/OmjK4d8C7Ym2XFDQEzbVp4eZFxAqkNJ1xSpSmfp1RFGLpO9i9vDsySdyHiWHD/3cXNwQBCTJDbYhTBG/fs63TnLw93A/j4y5Vfj8Y8GMDHh1/s6rO2OQO4uMnb3P1+fmyPIsC5Uqkk5cMX5u/O7Jplc6pcpdO/Y7CLoFOp3qDAVU8RzF7hh7P27v6XC+OGCMkpGcD1L3eEw3vDNKoCUWD9wPB+ZBmtIiIxHM2ZmBKWi4FjUxCPMG0MkDGPNjm9i1q7a7MAON/BMrJA03s/+3fnNwcjxydX77YgcmXMRdPpLPeXK7ud00WB2fLZqZ3zhv1slTsY6wMLqAZweXMH9TED7JsOl5SFAZGhMqs4D8sF79W07rqE4U+FmO+rDiOu6JwTncoXHnD54HLAMCMxZSvLZDfJ9otZmYYifDJNFfoM8sbFpANAdrZXSDg3XV78nmPy55DHhdPE0LkyzSjrL6XwPksFwTw1ErOLz8PtdUTSgvCaDEyDZJ6NoiQfuuoknEpmwE1CseRMkF5q46999Q7sP9xeH7ggKaxEaj28jBAQCESycraPutN8nUgXVKbKpr9GElXKtrXGnVDPP/uThQaudCXVW4Iwy3lzImLGBOkoT+rEYDZUruNtcTDKH3uRGuWPWcXw57x7f5i7ZS5vkxL7QfOY9qK6Zoc1viykfLaaPBJtVC/oZfZmcvBmw3gAcuMctidx023X0Y0sCFwJL7heM3Y83F6P4FN2nrJwgAkEZ5TjAMRsZv7jHF5ut6CdyF25UV+o/amxQNhzYcJ5PFajqQK/7JRPCzdAmjISPJrdoxqpVE57SVfdPdz+er3u2bO1hZemBYaWhVzoifu4LeKExM6c9wTc9weXTfi7QPk7ILbdjGyU7f2Sao0SIsJDVti4OioukRe5KxTc3RNVocO+kEC44KtYpOqgEzwjUmOTPZkKwZDw7aGPne+FqpBixRIsA3qKyAvIRR5utBGo7ND2vpapzeXZQzUHnfOKbH1+pXtpcnEUw20yV0CUEgEtn4n4lqKk7lx+Nqb6WsFFTBjta6lwvf1zLBENl5rsphynfONAB9GEmInSW1LId7ftkBeE0XAykyJuABBWN1Sd1P+IkJcJ2vy2uxNnJlJuaxLs4XmuzAxxp2ppY7Q2qxfYFSobEWwgsjYpU2S9rc8+kySRFc8u5oiadL/h2YsguIBYVSUGxcBvntcwGyKq8oyHNc3LLKCRn7ZpElvzDSgvsGeFx1vps70PqxeemY6yXLq7bmgD6cCdDuyD+NV3LYk9pmmmTN50gRmRVlXa5QHk+9IsMp0M7BaxqEJThL1Mb2w0ZGA32b8TFQ3vfj8/Pn3bGEwXNugz8WfwjYPe29yzt6bkHr+n1LA/cquU80mVlkjinax/d9WuOy5Pg4blsUnxGFEqT0L2wbe6G0R4QfRUQSLpgrhSJVv5QbLszgy9M5wHlvwTtqqfji2502dZpwP/i5bwmW/VyZGmG3sybqioWiy0UYdiJCqV6+P2QZBKEqxg34790MzCo8PDg9IFPkVxvzIMw5C6DBPhhK00DRRoDCIumJivTBc5g7td9RA1oey4YWS1c93ddam2H2dljJ422pAC38exd3inK5v8gpPjTpw/yH1romyRThQqZc979XODxGX5aBL47t1eJjDCttuYoo0UvKQG3aB7uyeiZKI3Tro9kmifEt8buE/WcGcfaJL9L5WslrDfm4qsSXBc6CY4Xn9rfwd79Djx38WE5U2r/ZlnOX3zYf2TODzN/uu7TIh8xNA3SSKqouy31W7dw2JD34UKCPffm914YQjK/6DalUpV4q40KzTWQprG1vKZDxK5nthTWCgtqU7Zx4S1SD/LMDxF/PmxNJA4J9KGVUi+4XNZgAEQuPh8BeNLW9FCuDvtRrQmwSPYG0SM3g4a95DbzcLqwaNnqrNxHax92p6yRJc0m6SS9gHh1jhbxnI/3I7rULxB3pAwwAVKqretB+2+hkJSTQN38VqTeHxcza7E/ma+JGG0ap02WgYmlgOI/bVwEZ1HA1igXA3Nf7sHa7nfx1Dv/L2q7eKH4hJ1blbWwjmEVmwTw5z+FoY1Po1zaZWimrZtgqKrO9nncsl05EE0X9xa4pK9MbXTf9IyVRrDSUBlwHBCw1688fUK6vsH178v64/zSOC28zxNQqKxJzE+2M5gfLkpdt8LsdvrJ9o0Oyl7S3xe2utmCjdIbW8VaDLIIwP2MJPf5sXhaX1X5RedKfkHIfUbPZ+3n8pSTr/aTv8ZM8hlhM3HDH9E/vifIsDsag2aQBXvqWwA97SD31meulqn0XIQZONB1vWl1HnPbqfruV2XbdEu7QaJ73drHGZiNoKos7aZueuufkOOsnKDIGw4KrxxZGvVzU6BzR0ZMK44aHdhY9UiZZDG97tGM75vBVIIG7kMVYMCP+3QcOF6Px+H9VU6S6JApdOYapdn9ARZ40QPRIgTY116cTRFiNZUmR0ELewrsqWrOrfX535V/bLOZ1r78d2n/67U0bnWkk7TildQutkv6Mn7KN2sdyHiOOXGvV+7TK3XSwo53wWGLSi7fYYvqm+E8NRj81bKrkrd2rhTG1nz5zbhKCt9j4XSEPhdUPPKMhO9KECY39aSBeNpaXtdCsK3MsqGM1XUT4o6T2i507LGOuT9N9app/0F4h4eKmpRC6eX7mZsWtWflr3LX2UhZu7axCplO34ffGu0z9kUntTfAfAcHf1dLCEmfLXu2B/w5v4cpL2vyN3ZuJFF9nUXmsRJL3zKe3s2s0Kq3KB6SiNcFvpzTnJhxhjD3jhZpEiEyqKAEyaCpnK5J0+bO9T2PSUuNzBPJYYguFtebALLlu4aau66V6o2is807qnsxBeU+zIuC6okOKo8ta6z4c4KTPrTqnMNS7M1t++QaVSmJstWuFpGUj6f2HW/pyWqnA2wPWPoYCnIoy5q49IVUkWmzBgFaVWyWeGfI8dCjzaH7giF2R3CNdG2XvkRqsmPMN1ANcT2RnRHtcXFGPWHRFTcjKZVtIM5BkyfhTqieqfxcwDtSlIlcM/AZS/+7tFCNRglwgpJYImx0PWXTpRd5h51qd1tptxfwtdot/LivfIbPCo4+1SzFqT+cPPLsfapgS1YrWL2gbVvrWzBa+u8MgVVKx5k11Rsoae5e9ejsq6ndd77U+f0GlafRT269CqBbaCVzpf7ADBNFicDdyMf4aE9Qts9hIBonFffVPaSKnjf3wuGsnfjbxY692+Va6xWKkhBtCRHnqvKa8yF69pTLcyOMyCMrTJFzq40GV/edUPc1dLUzd1uTLZJjy6hf7+FFWs/CDdshZ6+aSwDyqvIczoYDqrvE7TZRJT+eHTj3TIFTdzRXrJk79cDMLbVFgtEzzFegYifcCnchhil7UpBTELM3wqS46RaIZt1o9nVRsX2V9DH7E1D7vuKTuav81rj6lZQZNjXoYfqdCmccYjFoni50/Yi/jE7rBwp8tI2q4cF1pek7mL5/+j95+apRdczayuEHex9kTeQM7muHHmyr7KT3DzXnvIuiKfVtOc0Kufn84p2ew/Jnrt/MyJHPnE9VDLYq2cwhC7eUPKSBMbH+7/+Dzj68u/zBvDv8wb/6ucN1vWBgZAhhrO08XKF+jzvrNDfzgzceprw3hLd3iQUwoL2bpEKk9oT+hvS3Ve2N1d7lTue65c5VrPuzeUBrRarCK4tH79FRj6HWU7AZn95SdseTc6O3h2PDkfHo6M3e60oaxGdvnFye/vWZ2v8siy5vxOmE/824Gvzqm/wTfXiZZjj5NxdbrLXqKG2oueiWq7cDXEDvOI1B9U5NC6+6NaQdSwXnWWQOdZkIgmfVznqoLY83ID11r7oQ8xg/EltLMcsXgiTSf/w9dHbV41oJVWPfc38W6oe/Xx+6iwP1qXHrZo4XdWu4dkCVA6sQAL2D4cnB3WNbEBzTaZYrXWCfiZHDZU9zTmCj9zK2r1C+4GnKiVsAHf56YABfMjefT6AzyhX68/tQ8KFO7fkDudUS8igcGcJ0Rp57aLwJ4zplcqp1UvYq7hUIGq39ULHkaqncdf2bqT97l2HuM0cuKtf3FwE8iJBrwvtLKjblOH6em535/eMBPZcz8y/2IHnP5Fp7V3s7q9g41+fnrRbdzu6NI6JbJ9a7cPbcNXW1jxw4nAwNozGjPr0pMgrn79mq5xro/p4u95cWuVJw4tKywzpaND6RtMiPzoduzIWK+BWyTSUdcJTtU6WFG70038FAAD//9D2m/Y=" + return "eJzsfVtzGzmy5nv/igzuQ0sTFC3JkqetiN4NtSS3FSvLHl3cE7PeoMGqJIkRCigDKNKcE+e/n8Cl7hdSYtFnzsTwRSKrCvkhM5FIIBNZB/CEqzPQc4lEU66R/QSgqWZY/VEiQ6LwDCaoyU8AIapA0lhTwc/gf/8EAPBgHwD7BKMz5AHCO8pwYn79IMKE4egngClFFqoz+8gBcBLVaJlPiFOSMD22d5/BlDCF/pJexXgGMymSOLu5BsZ83llKMJUiAj3HIpUcWJQBM58iuCJAykMaEC3kaEql0mOFyLObUkgh0Vj4sQWVYxXau4HwEDSNEJZz5GXWKZHIAMHSA4mxkBpDUHQ215TPQM+pKsDqQMzIDwVsyG2FN31E1fAywWeb4b1NoglKEFMLVlWow5IoEBOFcoEhBIKHSeBBWhUmgaYLqlddKA2iGsAnXC2FDDfk6SpGgzCHRZRhnESF3PBusoKLlenGRwuVTBgC5XD/cP1XOB4djkqtXX2PMTBPLQhLUJWuAfwJSKIFF5FI1IFaKY1R/Q6p6ZQEunYhpBIDLeSqfkVEhPIDw5vaNYwIZQckDGXt0pSy+v00Xpw0307jxZvmKxEJWi4kGr/Xfo2lCFDVeaPEVC+JrGNKJKv/plAekCAQCa+zakl5KJbqQOKMKi1XB09Y59r3g9PDtwcBGn4byWOHmhX0Zzttu7SXJnYsoG3A6J7RdMHTIeB0LjeVnaM0IJyjHCtN9DYj9cLw0UA5//zq6vIOFshDIQ1KokElgRHYNGFsBSFqp+ERYTSgIlFWkUBIeLy76cIaS7GgIcrtOHgdIjcS8yw0RKyBmWPZDqbUuhAFgk9paG7vFVPeLEhiLRpRis54LtgUHCTKXLa2pPCUCghD9TzLcis03McYGBjhEG4FxyHciOUQPmBIk2gI7+lsXnvs8ODosPbjeRhRSRjVK7g3UGDv6ODNfu22y9vr9PrpwdvT+g1/XH1Kb7iOYqEUNcbzAC5QakL5fodonEOwE1VRjkuBdzrcrBQSTYAqCERkJGK8lS7NMbcr1LvF54nkrlPDRN8FUuIU5fbafZc2YwY4MMqf7CQtgIQhNQ8QBpRPhYyINWNkIhL9DE+DxjV8pZ824yBJ3YbSRE44XH8yQCUqBXtUSjTs1XRhWe3mVCr4fhfARLKRm2N7k3cLWj+VvxSo8fa2mAQ2wGcoAHdu3QtBWo9k5EWya4Zy5wBtqwERkUbpR5rVdfV53qYkUzO0b4x3DZ+k0CIQDNScSDOoPJ1u0w9E4lnd1s6prrtOv8vyisP9em7kV/v1DsNOFuhgjmGt+8UVIDSs3YqtES0iGlQIt3FxDSehbkBd8wUNsN6LBw4EmAgIA+QLKgWPkGtAHsaCGs9HAke9FPIJcIFcjxrx277tDL5tPfVldt6Xysqp366kju3OelLXT1K3Jc9RTWfTGhlSMaBVbtR48cjptwRTK0mY6aAZvVo4fmRLQHBLwJFd19d+zszs+f1t1bUCSCwRtgKacx5JMM8YJrilds01So4VJQDA7ySKGZ7B0enRm7eNLBFyRjj9h53URw2Lyy51oTMuJI7JRCwMjcPjk8oNUcI0HTdJpAhB4/fq6i6n3HKRCxmp8l5V+ikp8cdC9yy5Vhb9LsSMIdzcXHQ6W26tuZUWGo9vpLSs7Ltsze01o/dCcG0Gnt1NWkpq1ywOhqWrqqwB+CTihFm1dtMskZKsGhuwnrXX/ZRJI3gnJJi1T20LAtLn0nsdAti7u/p9fP+3IZi/V3/9dH57Ob7/2/7QOZpqLhIWwgQLWKiuLncABEffvoeA3xLj2irreDvC5kFL5cPjzcO1pWlppM0yBpM66gWR1O4NMeQzPXfN8yRC6T35oVlHzw27TNuXf3y8u7T7eObbX8y3Uldq7U8Q4oznFqJhaIgBjQjLN6ycOu/haAZfB0eDr/utWv3z/xtcnH2RmnyRGI61jr9MKP8SrUgcj/A7Dv7/z40qGpMaW/tTzXcJY5bCECgPWBIaeczpAoemecsu6wO19KnGtPf/9+bDl/uP7x7+OL+7+vKBBlIoMdVf/nAbRHD78OUikRK5/oxSUcG/XEdk5jbM4eo7Bklly8d9Plq46suSctNlw64vlzhJZrPKFJIyrQl0f1y7LeyBWEp2CGrkrbLvBFvfLOsP6l06qI04y1ypm9QZiq2saUD1atz3xFXqzgXVq+6544PgWiJhzQAF15Qj17tFWdSPjGQr4lsh9RzOreEiLbATruVqTJUYByLcIXsdIbi+/wiGUCvmi/NOoLvVAQ+yUw0uCCdhMzete1i3Ml7dUYytL9yF4EbwGdVJ6OJCjGj7pd3w/wcMmOCDMzj48+vRm6OTX14fDmHAiB6cwcnp6PTw9O3RL/CfzfbfTMuC7172d5bOJqI/+MtFF9KdCt+j7JT9XxKcYNBh56aU4SjGEY3iOVHzDXYYOkG2Lk4G52Daz7bLo1hIrYByIPDpym7jj+Ccg8cBBwdmBeZugwoyMFcDwo1fkii3uplSPkMZS7N0m1BOpF2ULJADmWqUIDEQUUyZ81GEBKHnKK14DxgusGwktSRcZbuKCuZkgSCCwMzX4RCWcxrMYWndvmBO+AwhEhLNY9mupO2F2zQpS+cGieTufqJhrnWszl69Wi6XoymViCscBSJ6NWFi9sptKx0Y74rIYP7q+PDo5NXh0SstSfBE+ewgImxJJB44Ph0Ymsa9nOuIjQY/NejDYfDml8PXwQm+PT4+Mv+EATl9++Y1IeHrN2E4XaMpW02JNSm2NdLWULExzWqNwZrRBesXI+AD3aavP6tU/QytIdApkAWhzDja9TVJikupELHamf6ROTKWpZsii8LTncOKwtNnYVJzcrR7Xs3J0XNRHZ+++RG4jk/fPBfZ61+qk8JOkL3+5eS5yE6Pjn8EstOj47XIXrjRuO1eRgrUEmlGpOg/mhGt2enroPazAi00YbbtZqrP9EM2J1x3PlKS+F0jV22+5bZ0s9abiUc0wnG/u8wF4h+uP1xVRNwYuNtqtqwF/bbEf+mie97/SiTL94QGxvlARpSmwSgQg/4E2s+AQmZTtDShPI1WMMzx5DFqIemMcrsl9S1BpRv7MZVkFmFtVbPLbnwS0rmdGfO9V2q+ff1fXwui0CJu4f80YdVUpG2CJlPbIDze3dignvd1CNfGm16JRBrXGgKicGhgrgrbnEoLiXVbTjl8TSQbmXa/GicZrYttNxadEKmyfjhXWrpcIyHB7x2apw03bKyl1nQ13wBKoQIn9P5488gjEdpcllyjrMwUKLQ5jznURmjmcys0unAT5VlgJBKcaiEpnw2dwqYZiI93NxCRld1EzgRjeSiRVLfjLauJzYsCJmbKtWWaoArEVCOHvycuBTPLJHQRdKLndaQPJQFF6HUgezprnSigupQ5OQSzqmKobQ4WFy3xvpgo1SCGnQ45TzIdc94itOF71r7yWtJ6XiFbGOCv3FquZZBXsiigyz1w69MzHzp4vkVqxXhy8roZ3bcEaymguzb/lqZXz7CUweiu+MBJU19q7Rn+f/vVz3SNckipfv0/X81gwO8BS0IM8ymmSHRkrCixQyObnrgwz9oRWcsmBdMkF8Uu2SbsveYasXQnic7uGhaIOh7gd6p03SLYqIxNOYl1js92xT3x1bdS2TcJ6dRmWGlKNMIE9bKetAEurr4UdjpQzbrhQmYoMRz37bqYXszpbI7WpqVkrEl2pIa2w3GM2XBXycRdqov3nZDpfsiwEBi0TfoUqKmQMJgKMfL3jQIRDYyABsUfWiypi4J4NoeoUUaUY2gmuoAqZCsvK2BUaWD0CV1aZjJhNACVTKe0mrcM7t69udbx2atX7lZ350jI2f4IHuQqTYyLYym+04hon104WYGiUcxWoMlT3VA44dqUfSNhRibIlIs0cqHBTltLZMwy5eHmUuWmLBCj5KnFkKlgjjvc+6wryb0l2G537UZbG9hUW36wbcvoWrvvPUQ3/6/gW0KYc0L8PTZH04Umazm4AISxtPPmRmu7MHaT91wo7R5PeOjdztp4HQFcc+skSE0JY1VDDzVEQ7tFO/Xp4phedyEFsLuqKSTr0lgEAeFc1D280lgZFjiTWdZaByfIxLJ5BHeO+rKBKLLeLYSI0qNo5RtyOu7GPlG6YdA7A54KaU6Uyy+JbTh+YQaTmObkChqpksnxSCWTo5KZGTaOzxyumwW8M+6ZU2hrMHTmhQvQklBmrEKMkoqwZYdExGML8/lWu48RgNOpz4fUIvYqk+ah4sPN5f4QCFMCnrhYcsO1nNX1RYI1iEMjq8ykGWVOtaYwjEb1WaBKv9b8NH/CCMqqxL/kNGCngLYZIBfY5nNBolDuNBLWsITzJFvd//qGzffTw7db7dgolJSwcUc2Xw99bVis2ow/RzzN26NKJfmJj8I5IyCJngtJtU+DMotxYzp5sKobHmvaM1U2/imL58TnFQ3NWjDfE3CLkTQ/SCQaAsGEMds8hCSOURrfsUYimBNJAo2yluaVhaxOT9/99tvbiz9fXv327vDtL4dvL4+OLy7Om6PutuM7Y36WzWDImIHWwtmLlCtI7RbIJVWa8llC1RxD18je5e2+mT4vRBQJ7n+7uN0fQogxcpt8JHjL7kJrztHFr4/3Q/j465Wf6a55MISPj7/aeS23XUO4uM3uuX9/fmzP58C5Uokk5TMb7nNvVvuyLdVBJZO/Y+3U4I5ySAoc93TBrF5+JNs9m+8ffr0wDo+QnJIh3Px6Tzi8MwykKhAFMQyNHEaW6WpOJIajGRMTwjKRcGzeqiRMGzNmzK1NJdhZXmZN4DdmonF+i2VxAYn3vvbuz2/3R46DLktyQeTKmJymY43pJxsk1i4UhWnTtifWbhjRsFXm3OSHaFAN4fL2Hpp4AbBnmlxSFgZEhsp4DjwsH8GoJ5NmIh38qbgD3jFNKDrjRCdyy4NNH1zkHqYkomxlWe2G414xqtVwMIRMEoU+7r92uuoAkB6NFxLOTZMX7zNM/hj/deEwPjTOffnZBNYQbmnXzs7J+10aQINZYmRmp7HHu5s5SQria0DRJJkXoyjJh646CSeSGXDjUCw5EyTsg/6Nz8yCvce7m323EQwrkViPMiUEBAIRr5xtpO4wbCfSBZWJssHCkUSVMN0H1PPP/mCugStdyv6GIIxbUN3vdyimTBD9QgxmUeca3hQHo/ypF6lR/pTmm3/Omve1EFrG8iaBwh80jmkvqmvWddeXhWDXRoOn6cDo1nLwZsN4CHLtGLYH2RPVFwsCl9wNrtWUHY93NyP4lB5HLhyqA8EZ5TgEMZ2af5zjzO3CtxO5SxLrC7U/yRgIe1ZROI/IajRV4Ked8mH7BkgTRoIns1ZVI5XICesD3P3j3W83ecuerS28NHdgaFnIhR67r5sijknkzHlPwH17cNmEvwuUL6Ei+5Ltw5JqjRLmhIessDR2VFywcu4qkLjSLVWhw56QQLjgq0gkar8TPCNSY5M9mQjBkPDNoV873wtVIaSMJVgG9ASRF5CLbOPT7oClNQ/2tExsrNIe0drvHFdk1ostOHe7NobbZKaAKCUCWj5J8y1BSV1Zi7RP9bmCi4gw2tdU4Vr755giGk7qd6QubUGyXLCjg2hMzEDhfdH1zW3a5QVhNBxPpYgaAITVZVUn9T/myMsEbfzelZSaioTbHAxbe4IrM0LcSW8aNuFKsyJ2hcruPjYQyU3KBFlv87OPdElkxROyGaIm3W+4thUEt7FWVYlhcas5i6+YBRFVWeTFmuZluuGRnb5qEltzAaEt7Fnh8kb6bMvJ9cIz01CaBeCqda0hHbjTpX0Qv/quJbEHf82QyW5dYEqkVZUaedLTavmhNIpMI0O7RCyq0ARhkOqN3Q8Z2kX2e6LmB/fvz49P3wyaIAq79TP2dSGMg97b2LNFhzKP31NqWB+5Wcr5pEpLJNFO5r/7atMdtQehYXpsUjxGlMqCoX3wre4GEV4QPVUQS7ogLhXL5quQNJo0Re8MZxtL/gpbVTfEKu70Wdro0D9Rvj/bPvN3dXKkqeBVyg01ryY+rdWhCIlKZF7qIQgSSYIV7Nm+H5pReHR4uF+qf1UU98+GYRhSF80inLCVpoECjcGcCyZmK9NExuBuVz1ETSg7buhZrVJAZ8cubTvOyhg9bbQhBb5fR97hnaxsmA1Ojjtx/iD3rYmyRTpWqJQ9w9cLkAIId1THN+/WMoERtl3GFG2k4CU16Abdl5m+LpnotYNuQGLtA/KDoftmDXf6hcbpf4lktZSBwUSktwTHhWaC4/xX+xwM6HHsf4sIy26ttmeuZfTNl/yRKDxN//VNxkQ+YehviedUzdNnq826i8UbfRMqINz/blbjhS4o/0C1KZWo2FUELNyshTQ3W8tnvkjkemzPzqG0pDplHxHWIv00xvAc8eclyiTOiLTbKiRb8LkowBAIXHy+gutLm1lDuDujSLQmwRPY6jVGb4eNa8jNRmH1ENgL1dm4DtY+bU5ZoguqjRNJ+4BwZ5wtY7kf767rULxBXhMwwAVKqld9wLmQVNPA1S1sEo/fV7MzsS9sGceMVq3TWsvAxHIIka+qOKez+RAWKFcH5t/uzlru99HVe1+WuF38UJyizs3MWjiL0YptbJjT38SQ49M4k1YpqmHdJii6upJ9KZdMQx5EczXCEpdsweFO/0nLRGkMxwGVAcMxDXvxxvMZ1LcPrn1/dCHKdgI3HedJHBKNPYnx0TYG15fr9u57IXZ380ybZgdlb4HPS1usqFC9bHOrQONhtjNgj3b5ZV4UntZXVX7SmZB/EFIviPuy9VQacvrNNvrPGEEuI2xa7/6Y+PE/xQazyzVoAlUs89oArn5Uv/sMo4tTN+etPP/Ea17TPWvZrXQ9t+uyLdql3SDx7W6MwwzMRhCbV0FIm/odOcpaTct1R67XHrhOVTc96zZzZMC44qBdEdGqRUohXT/sGs31QyuQwraRi1A1KHBN1N2zY17g0O/D+iydJVGgkklEtYszeoKscaAHIsSxsS69OJoiRGuqzAqiWPo4nbqqYzs/E63qBWRfaO2v7z/9d4WOzrWWdJJUvIJS5cigJ++jVKXxQkRRwo17n7tMtRKnBRC7wLABZbfO8Cn9jRCeNwK8lF1mvLVxp3ZnzZ9NhaM03T4SSkPgV0HNM8tU9KIAeeXvdDOelpbXpU34VkbZ7Uw17ydEnQW03JlgYx2y9puIJ0l/G3GPjxW1qG2nl2p8Ns3qz4veZW+CEVNXdLNK2fbfb7412ud0CI/rr9B4iY6+F0uICF/lDfsj7dyf3rRVplzFz7Ussm+L0SSKe+FT1tqLmRVS5TrVUxjhstCec5ILI8YY9sbBIkUsVLoLOGYiaEqXe/awuUdtX/PjYgOzRGIIgrvpxQawbPKuoeZKClO1Vnzm5p7STnzCuU/jsqBKgqPKU2s4+16xMuP+tOpcw9Isze0rmBqVqcmyFcr0SMpnYzvv9zRFlaMBtmUMHSwF2a6LWjt1hVSRCTNGQVqVbFb4l8ix0KKNoTtCYVqnuibaJnS23Eioxj/CdAPVENkq/Y5qi4sx6g+JqLgZTbNoB3MMmD4TdUS1PvZLAO1KUiVwL8Bli873aKEajBJhhSCwxEjo+jtbyi5zj7rU7jZT7ksnNtqtLHmv/AKcCs4+1awFqT9ovT3WPjWwBatVzD6w9q2VLXhtnleqoGrFg7S4xgZ6mrl3PSprPqyz1p87pnNYfSb16NJrLDaBVjrj7jeAabw4GboKiISH9rhudxcConFWfdHfNlnwvr0tujK49dWTzv1LGRuzlQpSEC3BkZeqco65UOo/0cKsOAPC2CpV5LQIy/XlfTfEXU1N3dztxmRv6dEl9O9WsWLtB+GapdDzF41lQFkWeUYHw2H1dZw2mojSH7RWazRxR2vJkr3PO2Bsq00WmL/EeAUiqpXFe/EepW1KQURCzN49k+GkWiGbdqPZ1ULFtlfQx/TtV+73ik5mb8PLcXUrKDLs69BDdbgUzjhEYlEsSbW5iH/MCitDiry0zOphgvUpqbuY/j96/7l5aNF8ZG2EsIO9W3kDGZPrypEF+yoryfVjrf6GkL5y2jMalfP1WUa7rXsycNVI5+TIB64PlAwG9QiG0MWKKNsEMD4+/PV/wNGXf583gH+fN/hXP2+Q5wcGQoYYTpPG4gr1cd6Zob+ZGbjzNOGdJbq5SShsC9raIxUmtQf014S7r2xrLvcqczzzF4xWo+7rXpJA6/H2dfH4DSLyGcxyADb95CU1aHx29PZ4dDg6Hh29HrSirO3o9I2T24pfn63xS6PkvmZMJ/5NwNfGVd/gm/LFyzCv43NX3mTQqKE2o+eimq68VUHOYpmD6hi6Lr4n2pB1LBedaZAZ1ngsCZ81VwprubgG6519PYuYwvUntTYds/imolT6h6+O3rS8joiqp75G/h1VT348P3eUB3nqcasmTlYNxXg2UkMLrEAC9g4PTmpv9mtEc0MmWM11gn4GRw2VPc05go/cytq9gf6RJyohbAj32emAIXwgLP33M8pV/r29S7hw55bc4Zx64aG8ZgnRGnlDafSN+/SzyqjVU9iruFQgGmoMtx+peh53betG2m/fdojbjIH7pgLU0I+g80Q7C+ouYZiXH3dVzacksOd6pv41GDx7RJq719j4V6cn7dbd9i6JIlIre71J99aW4NqQB04cDsaa3phen54UeeXj12yVcW1U7++6d+IWedLy6ltoP/GWfzrej5vzo9OxK2OxAm6VTENaJzxX62RJ4UY//VcAAAD//8vbIqM=" } diff --git a/x-pack/filebeat/module/threatintel/misp/test/misp_sample.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/misp/test/misp_sample.ndjson.log-expected.json index 45edea748158..6543ec7cb6e3 100644 --- a/x-pack/filebeat/module/threatintel/misp/test/misp_sample.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/misp/test/misp_sample.ndjson.log-expected.json @@ -75,7 +75,6 @@ "tlp:white", "type:OSINT" ], - "threatintel.indicator.domain": "your-ip.getmyip.com", "threatintel.indicator.ip": "178.128.103.74", "threatintel.indicator.marking.tlp": [ "white" @@ -83,6 +82,7 @@ "threatintel.indicator.provider": "misp", "threatintel.indicator.scanner_stats": 2, "threatintel.indicator.type": "domain-name", + "threatintel.indicator.url.domain": "your-ip.getmyip.com", "threatintel.misp.attribute.category": "Network activity", "threatintel.misp.attribute.comment": "1st stage", "threatintel.misp.attribute.deleted": false, @@ -300,13 +300,13 @@ "tlp:green", "type:OSINT" ], - "threatintel.indicator.domain": "xenserver.ddns.net", "threatintel.indicator.marking.tlp": [ "green" ], "threatintel.indicator.provider": "misp", "threatintel.indicator.scanner_stats": 2, "threatintel.indicator.type": "domain-name", + "threatintel.indicator.url.domain": "xenserver.ddns.net", "threatintel.misp.attribute.category": "Network activity", "threatintel.misp.attribute.comment": "", "threatintel.misp.attribute.deleted": false, @@ -465,13 +465,13 @@ "tlp:green", "type:OSINT" ], - "threatintel.indicator.domain": "whatsapp.com", "threatintel.indicator.marking.tlp": [ "green" ], "threatintel.indicator.provider": "misp", "threatintel.indicator.scanner_stats": 2, "threatintel.indicator.type": "domain-name", + "threatintel.indicator.url.domain": "whatsapp.com", "threatintel.misp.attribute.category": "Network activity", "threatintel.misp.attribute.comment": "", "threatintel.misp.attribute.deleted": false, diff --git a/x-pack/filebeat/module/threatintel/otx/test/otx_sample.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/otx/test/otx_sample.ndjson.log-expected.json index 8a8564626d56..e56752d47c33 100644 --- a/x-pack/filebeat/module/threatintel/otx/test/otx_sample.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/otx/test/otx_sample.ndjson.log-expected.json @@ -49,8 +49,8 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.domain": "ip.anysrc.net", - "threatintel.indicator.type": "domain-name" + "threatintel.indicator.type": "domain-name", + "threatintel.indicator.url.domain": "ip.anysrc.net" }, { "event.category": "threat", @@ -796,8 +796,8 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.domain": "maper.info", - "threatintel.indicator.type": "domain-name" + "threatintel.indicator.type": "domain-name", + "threatintel.indicator.url.domain": "maper.info" }, { "event.category": "threat", @@ -1144,8 +1144,8 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.domain": "fotmailz.com", - "threatintel.indicator.type": "domain-name" + "threatintel.indicator.type": "domain-name", + "threatintel.indicator.url.domain": "fotmailz.com" }, { "event.category": "threat", @@ -1161,8 +1161,8 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.domain": "pori89g5jqo3v8.com", - "threatintel.indicator.type": "domain-name" + "threatintel.indicator.type": "domain-name", + "threatintel.indicator.url.domain": "pori89g5jqo3v8.com" }, { "event.category": "threat", @@ -1178,8 +1178,8 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.domain": "sebco.co.ke", - "threatintel.indicator.type": "domain-name" + "threatintel.indicator.type": "domain-name", + "threatintel.indicator.url.domain": "sebco.co.ke" }, { "event.category": "threat", @@ -1213,8 +1213,8 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.domain": "chishir.com", - "threatintel.indicator.type": "domain-name" + "threatintel.indicator.type": "domain-name", + "threatintel.indicator.url.domain": "chishir.com" }, { "event.category": "threat", @@ -1230,8 +1230,8 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.domain": "kostunivo.com", - "threatintel.indicator.type": "domain-name" + "threatintel.indicator.type": "domain-name", + "threatintel.indicator.url.domain": "kostunivo.com" }, { "event.category": "threat", @@ -1247,8 +1247,8 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.domain": "mangoclone.com", - "threatintel.indicator.type": "domain-name" + "threatintel.indicator.type": "domain-name", + "threatintel.indicator.url.domain": "mangoclone.com" }, { "event.category": "threat", @@ -1264,8 +1264,8 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.domain": "onixcellent.com", - "threatintel.indicator.type": "domain-name" + "threatintel.indicator.type": "domain-name", + "threatintel.indicator.url.domain": "onixcellent.com" }, { "event.category": "threat", diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/test/domain.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/recordedfuture/test/domain.ndjson.log-expected.json index 12d7044c9a17..29b0a8ed4a5d 100644 --- a/x-pack/filebeat/module/threatintel/recordedfuture/test/domain.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/recordedfuture/test/domain.ndjson.log-expected.json @@ -4,7 +4,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A16url-gy.example.net", "event.risk_score": 0.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -15,10 +14,11 @@ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.domain": "16url-gy.example.net", "threatintel.indicator.first_seen": "2016-07-25T20:29:32.750Z", "threatintel.indicator.last_seen": "2021-06-20T18:23:47.901Z", + "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A16url-gy.example.net", "threatintel.indicator.type": "domain-name", + "threatintel.indicator.url.domain": "16url-gy.example.net", "threatintel.recordedfuture.entity.id": "idn:16url-gy.example.net", "threatintel.recordedfuture.entity.type": "InternetDomainName", "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A16url-gy.example.net", @@ -35,7 +35,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ab999f.example.org", "event.risk_score": 0.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -46,10 +45,11 @@ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.domain": "b999f.example.org", "threatintel.indicator.first_seen": "2012-11-21T01:54:04.292Z", "threatintel.indicator.last_seen": "2021-06-20T18:23:47.812Z", + "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ab999f.example.org", "threatintel.indicator.type": "domain-name", + "threatintel.indicator.url.domain": "b999f.example.org", "threatintel.recordedfuture.entity.id": "idn:b999f.example.org", "threatintel.recordedfuture.entity.type": "InternetDomainName", "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ab999f.example.org", @@ -66,7 +66,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ac422.example.net", "event.risk_score": 0.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -77,10 +76,11 @@ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.domain": "c422.example.net", "threatintel.indicator.first_seen": "2018-02-21T13:53:46.470Z", "threatintel.indicator.last_seen": "2021-06-20T18:23:47.778Z", + "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ac422.example.net", "threatintel.indicator.type": "domain-name", + "threatintel.indicator.url.domain": "c422.example.net", "threatintel.recordedfuture.entity.id": "idn:c422.example.net", "threatintel.recordedfuture.entity.type": "InternetDomainName", "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ac422.example.net", @@ -97,7 +97,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A8rwcvgjsp.example.net", "event.risk_score": 0.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -108,10 +107,11 @@ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.domain": "8rwcvgjsp.example.net", "threatintel.indicator.first_seen": "2016-08-15T11:56:24.964Z", "threatintel.indicator.last_seen": "2021-06-20T18:23:47.747Z", + "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A8rwcvgjsp.example.net", "threatintel.indicator.type": "domain-name", + "threatintel.indicator.url.domain": "8rwcvgjsp.example.net", "threatintel.recordedfuture.entity.id": "idn:8rwcvgjsp.example.net", "threatintel.recordedfuture.entity.type": "InternetDomainName", "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A8rwcvgjsp.example.net", @@ -128,7 +128,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ac9px.example.net", "event.risk_score": 0.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -139,10 +138,11 @@ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.domain": "c9px.example.net", "threatintel.indicator.first_seen": "2016-06-29T21:06:06.066Z", "threatintel.indicator.last_seen": "2021-06-20T18:23:47.460Z", + "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ac9px.example.net", "threatintel.indicator.type": "domain-name", + "threatintel.indicator.url.domain": "c9px.example.net", "threatintel.recordedfuture.entity.id": "idn:c9px.example.net", "threatintel.recordedfuture.entity.type": "InternetDomainName", "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ac9px.example.net", @@ -159,7 +159,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Attj1i9z7.example.com", "event.risk_score": 0.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -170,10 +169,11 @@ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.domain": "ttj1i9z7.example.com", "threatintel.indicator.first_seen": "2018-09-20T03:26:08.564Z", "threatintel.indicator.last_seen": "2021-06-20T18:23:47.373Z", + "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Attj1i9z7.example.com", "threatintel.indicator.type": "domain-name", + "threatintel.indicator.url.domain": "ttj1i9z7.example.com", "threatintel.recordedfuture.entity.id": "idn:ttj1i9z7.example.com", "threatintel.recordedfuture.entity.type": "InternetDomainName", "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Attj1i9z7.example.com", @@ -190,7 +190,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A7pgc.example.org", "event.risk_score": 0.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -201,10 +200,11 @@ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.domain": "7pgc.example.org", "threatintel.indicator.first_seen": "2017-02-23T17:44:16.104Z", "threatintel.indicator.last_seen": "2021-06-20T18:23:47.373Z", + "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A7pgc.example.org", "threatintel.indicator.type": "domain-name", + "threatintel.indicator.url.domain": "7pgc.example.org", "threatintel.recordedfuture.entity.id": "idn:7pgc.example.org", "threatintel.recordedfuture.entity.type": "InternetDomainName", "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A7pgc.example.org", @@ -221,7 +221,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Axm5u434.example.net", "event.risk_score": 0.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -232,10 +231,11 @@ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.domain": "xm5u434.example.net", "threatintel.indicator.first_seen": "2017-04-10T06:55:27.658Z", "threatintel.indicator.last_seen": "2021-06-20T18:23:47.373Z", + "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Axm5u434.example.net", "threatintel.indicator.type": "domain-name", + "threatintel.indicator.url.domain": "xm5u434.example.net", "threatintel.recordedfuture.entity.id": "idn:xm5u434.example.net", "threatintel.recordedfuture.entity.type": "InternetDomainName", "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Axm5u434.example.net", @@ -252,7 +252,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Agpgju.example.com", "event.risk_score": 0.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -263,10 +262,11 @@ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.domain": "gpgju.example.com", "threatintel.indicator.first_seen": "2018-07-27T15:22:39.390Z", "threatintel.indicator.last_seen": "2021-06-20T18:23:47.373Z", + "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Agpgju.example.com", "threatintel.indicator.type": "domain-name", + "threatintel.indicator.url.domain": "gpgju.example.com", "threatintel.recordedfuture.entity.id": "idn:gpgju.example.com", "threatintel.recordedfuture.entity.type": "InternetDomainName", "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Agpgju.example.com", @@ -283,7 +283,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A55g.example.com", "event.risk_score": 0.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -294,10 +293,11 @@ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.domain": "55g.example.com", "threatintel.indicator.first_seen": "2021-01-10T21:24:38.353Z", "threatintel.indicator.last_seen": "2021-06-20T18:23:45.025Z", + "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A55g.example.com", "threatintel.indicator.type": "domain-name", + "threatintel.indicator.url.domain": "55g.example.com", "threatintel.recordedfuture.entity.id": "idn:55g.example.com", "threatintel.recordedfuture.entity.type": "InternetDomainName", "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A55g.example.com", diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/test/hash.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/recordedfuture/test/hash.ndjson.log-expected.json index 32a800a15745..dbc47e31767e 100644 --- a/x-pack/filebeat/module/threatintel/recordedfuture/test/hash.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/recordedfuture/test/hash.ndjson.log-expected.json @@ -4,7 +4,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Adec3a20fa1493c8e669b26d3f8b6084b34fda9906c978f9f12fb43f76504b5d6", "event.risk_score": 65.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -20,6 +19,7 @@ "threatintel.indicator.file.hash.sha256": "dec3a20fa1493c8e669b26d3f8b6084b34fda9906c978f9f12fb43f76504b5d6", "threatintel.indicator.first_seen": "2021-06-20T18:40:18.503Z", "threatintel.indicator.last_seen": "2021-06-20T18:40:18.503Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Adec3a20fa1493c8e669b26d3f8b6084b34fda9906c978f9f12fb43f76504b5d6", "threatintel.indicator.type": "file", "threatintel.recordedfuture.entity.id": "hash:dec3a20fa1493c8e669b26d3f8b6084b34fda9906c978f9f12fb43f76504b5d6", "threatintel.recordedfuture.entity.type": "Hash", @@ -54,7 +54,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A4014355fdfee5fe9e01f3a84356d743c022cd75510f6c96ffe16fb332855d6f2", "event.risk_score": 65.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -70,6 +69,7 @@ "threatintel.indicator.file.hash.sha256": "4014355fdfee5fe9e01f3a84356d743c022cd75510f6c96ffe16fb332855d6f2", "threatintel.indicator.first_seen": "2021-06-20T18:40:18.452Z", "threatintel.indicator.last_seen": "2021-06-20T18:40:18.452Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A4014355fdfee5fe9e01f3a84356d743c022cd75510f6c96ffe16fb332855d6f2", "threatintel.indicator.type": "file", "threatintel.recordedfuture.entity.id": "hash:4014355fdfee5fe9e01f3a84356d743c022cd75510f6c96ffe16fb332855d6f2", "threatintel.recordedfuture.entity.type": "Hash", @@ -104,7 +104,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A299e7a30217e2137854308e7be79227635f409b0e00897cfff11806ad8449cc5", "event.risk_score": 65.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -120,6 +119,7 @@ "threatintel.indicator.file.hash.sha256": "299e7a30217e2137854308e7be79227635f409b0e00897cfff11806ad8449cc5", "threatintel.indicator.first_seen": "2021-06-20T18:40:18.343Z", "threatintel.indicator.last_seen": "2021-06-20T18:40:18.343Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A299e7a30217e2137854308e7be79227635f409b0e00897cfff11806ad8449cc5", "threatintel.indicator.type": "file", "threatintel.recordedfuture.entity.id": "hash:299e7a30217e2137854308e7be79227635f409b0e00897cfff11806ad8449cc5", "threatintel.recordedfuture.entity.type": "Hash", @@ -154,7 +154,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Ae5c73c63ba71659fbb9e0670cc203532aa61e3b8fa51f70ee5ce37b66784cd61", "event.risk_score": 65.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -170,6 +169,7 @@ "threatintel.indicator.file.hash.sha256": "e5c73c63ba71659fbb9e0670cc203532aa61e3b8fa51f70ee5ce37b66784cd61", "threatintel.indicator.first_seen": "2021-06-20T18:40:18.258Z", "threatintel.indicator.last_seen": "2021-06-20T18:40:18.258Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Ae5c73c63ba71659fbb9e0670cc203532aa61e3b8fa51f70ee5ce37b66784cd61", "threatintel.indicator.type": "file", "threatintel.recordedfuture.entity.id": "hash:e5c73c63ba71659fbb9e0670cc203532aa61e3b8fa51f70ee5ce37b66784cd61", "threatintel.recordedfuture.entity.type": "Hash", @@ -204,7 +204,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A184527a5436086cff0c06197330089f7964a9b6b8fc86327e6778363b7297ef1", "event.risk_score": 65.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -220,6 +219,7 @@ "threatintel.indicator.file.hash.sha256": "184527a5436086cff0c06197330089f7964a9b6b8fc86327e6778363b7297ef1", "threatintel.indicator.first_seen": "2021-06-20T18:40:18.131Z", "threatintel.indicator.last_seen": "2021-06-20T18:40:18.131Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A184527a5436086cff0c06197330089f7964a9b6b8fc86327e6778363b7297ef1", "threatintel.indicator.type": "file", "threatintel.recordedfuture.entity.id": "hash:184527a5436086cff0c06197330089f7964a9b6b8fc86327e6778363b7297ef1", "threatintel.recordedfuture.entity.type": "Hash", @@ -246,7 +246,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A1136b8991c6f180a6c67eaff7c2a998d67dbcadc2d9cf5a3f816de03503817a8", "event.risk_score": 65.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -262,6 +261,7 @@ "threatintel.indicator.file.hash.sha256": "1136b8991c6f180a6c67eaff7c2a998d67dbcadc2d9cf5a3f816de03503817a8", "threatintel.indicator.first_seen": "2021-06-20T18:40:18.093Z", "threatintel.indicator.last_seen": "2021-06-20T18:40:18.093Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A1136b8991c6f180a6c67eaff7c2a998d67dbcadc2d9cf5a3f816de03503817a8", "threatintel.indicator.type": "file", "threatintel.recordedfuture.entity.id": "hash:1136b8991c6f180a6c67eaff7c2a998d67dbcadc2d9cf5a3f816de03503817a8", "threatintel.recordedfuture.entity.type": "Hash", @@ -296,7 +296,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Abf325093d87f746c297b2752c38a41a8f41b32aca01146b3632e24e90cdd14a1", "event.risk_score": 65.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -312,6 +311,7 @@ "threatintel.indicator.file.hash.sha256": "bf325093d87f746c297b2752c38a41a8f41b32aca01146b3632e24e90cdd14a1", "threatintel.indicator.first_seen": "2021-06-20T18:40:18.070Z", "threatintel.indicator.last_seen": "2021-06-20T18:40:18.070Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Abf325093d87f746c297b2752c38a41a8f41b32aca01146b3632e24e90cdd14a1", "threatintel.indicator.type": "file", "threatintel.recordedfuture.entity.id": "hash:bf325093d87f746c297b2752c38a41a8f41b32aca01146b3632e24e90cdd14a1", "threatintel.recordedfuture.entity.type": "Hash", @@ -346,7 +346,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Ac06f58340d8e7b1f466942db18f67b5eb048c9adc45d843db370c836e125e3f9", "event.risk_score": 65.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -362,6 +361,7 @@ "threatintel.indicator.file.hash.sha256": "c06f58340d8e7b1f466942db18f67b5eb048c9adc45d843db370c836e125e3f9", "threatintel.indicator.first_seen": "2021-06-20T18:40:18.011Z", "threatintel.indicator.last_seen": "2021-06-20T18:40:18.011Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Ac06f58340d8e7b1f466942db18f67b5eb048c9adc45d843db370c836e125e3f9", "threatintel.indicator.type": "file", "threatintel.recordedfuture.entity.id": "hash:c06f58340d8e7b1f466942db18f67b5eb048c9adc45d843db370c836e125e3f9", "threatintel.recordedfuture.entity.type": "Hash", @@ -396,7 +396,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Ac878bdb6c62ace8f001f979f7c7b2c6b38d135ac1c69bfa63785bf86721619fc", "event.risk_score": 65.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -412,6 +411,7 @@ "threatintel.indicator.file.hash.sha256": "c878bdb6c62ace8f001f979f7c7b2c6b38d135ac1c69bfa63785bf86721619fc", "threatintel.indicator.first_seen": "2021-06-20T18:40:17.964Z", "threatintel.indicator.last_seen": "2021-06-20T18:40:17.964Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Ac878bdb6c62ace8f001f979f7c7b2c6b38d135ac1c69bfa63785bf86721619fc", "threatintel.indicator.type": "file", "threatintel.recordedfuture.entity.id": "hash:c878bdb6c62ace8f001f979f7c7b2c6b38d135ac1c69bfa63785bf86721619fc", "threatintel.recordedfuture.entity.type": "Hash", @@ -446,7 +446,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A0996575c7d2f07513d0dafe67ddde9805bbea35cf9d98edf8faf12c0e7f4334c", "event.risk_score": 65.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -462,6 +461,7 @@ "threatintel.indicator.file.hash.sha256": "0996575c7d2f07513d0dafe67ddde9805bbea35cf9d98edf8faf12c0e7f4334c", "threatintel.indicator.first_seen": "2021-06-20T18:40:17.919Z", "threatintel.indicator.last_seen": "2021-06-20T18:40:17.919Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A0996575c7d2f07513d0dafe67ddde9805bbea35cf9d98edf8faf12c0e7f4334c", "threatintel.indicator.type": "file", "threatintel.recordedfuture.entity.id": "hash:0996575c7d2f07513d0dafe67ddde9805bbea35cf9d98edf8faf12c0e7f4334c", "threatintel.recordedfuture.entity.type": "Hash", diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/test/ip.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/recordedfuture/test/ip.ndjson.log-expected.json index ed121c0a4187..74488f715daf 100644 --- a/x-pack/filebeat/module/threatintel/recordedfuture/test/ip.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/recordedfuture/test/ip.ndjson.log-expected.json @@ -4,7 +4,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21", "event.risk_score": 0.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -22,6 +21,7 @@ "threatintel.indicator.geo.continent_name": "Europe", "threatintel.indicator.geo.country_name": "Bulgaria", "threatintel.indicator.last_seen": "2021-06-19T19:40:32.897Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21", "threatintel.indicator.type": "ipv6-addr", "threatintel.recordedfuture.entity.id": "ip:2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21", "threatintel.recordedfuture.entity.name": "2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21", @@ -41,7 +41,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:f800:5c3f:c9f8:fbf8:d537:9071", "event.risk_score": 0.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -60,6 +59,7 @@ "threatintel.indicator.geo.country_name": "Iran", "threatintel.indicator.ip": "2001:db8:f800:5c3f:c9f8:fbf8:d537:9071", "threatintel.indicator.last_seen": "2021-06-19T19:40:32.839Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:f800:5c3f:c9f8:fbf8:d537:9071", "threatintel.indicator.type": "ipv6-addr", "threatintel.recordedfuture.entity.id": "ip:2001:db8:f800:5c3f:c9f8:fbf8:d537:9071", "threatintel.recordedfuture.entity.type": "IpAddress", @@ -78,7 +78,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.55", "event.risk_score": 0.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -96,6 +95,7 @@ "threatintel.indicator.geo.country_name": null, "threatintel.indicator.ip": "203.0.113.55", "threatintel.indicator.last_seen": "2021-06-19T19:40:30.596Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.55", "threatintel.indicator.type": "ipv4-addr", "threatintel.recordedfuture.entity.id": "ip:203.0.113.55", "threatintel.recordedfuture.entity.type": "IpAddress", @@ -114,7 +114,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.108", "event.risk_score": 0.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -133,6 +132,7 @@ "threatintel.indicator.geo.country_name": "China", "threatintel.indicator.ip": "203.0.113.108", "threatintel.indicator.last_seen": "2021-06-19T19:40:20.534Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.108", "threatintel.indicator.type": "ipv4-addr", "threatintel.recordedfuture.entity.id": "ip:203.0.113.108", "threatintel.recordedfuture.entity.type": "IpAddress", @@ -151,7 +151,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.139", "event.risk_score": 0.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -170,6 +169,7 @@ "threatintel.indicator.geo.country_name": "Indonesia", "threatintel.indicator.ip": "203.0.113.139", "threatintel.indicator.last_seen": "2021-06-19T19:40:03.882Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.139", "threatintel.indicator.type": "ipv4-addr", "threatintel.recordedfuture.entity.id": "ip:203.0.113.139", "threatintel.recordedfuture.entity.type": "IpAddress", @@ -188,7 +188,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:bf58:c5c3:7a06:5267:82e0:621a", "event.risk_score": 0.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -207,6 +206,7 @@ "threatintel.indicator.geo.country_name": "China", "threatintel.indicator.ip": "2001:db8:bf58:c5c3:7a06:5267:82e0:621a", "threatintel.indicator.last_seen": "2021-06-19T19:40:02.557Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:bf58:c5c3:7a06:5267:82e0:621a", "threatintel.indicator.type": "ipv6-addr", "threatintel.recordedfuture.entity.id": "ip:2001:db8:bf58:c5c3:7a06:5267:82e0:621a", "threatintel.recordedfuture.entity.type": "IpAddress", @@ -225,7 +225,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.147", "event.risk_score": 0.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -244,6 +243,7 @@ "threatintel.indicator.geo.country_name": "China", "threatintel.indicator.ip": "192.0.2.147", "threatintel.indicator.last_seen": "2021-06-19T19:39:43.160Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.147", "threatintel.indicator.type": "ipv4-addr", "threatintel.recordedfuture.entity.id": "ip:192.0.2.147", "threatintel.recordedfuture.entity.type": "IpAddress", @@ -262,7 +262,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.198", "event.risk_score": 5.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -281,6 +280,7 @@ "threatintel.indicator.geo.country_name": "India", "threatintel.indicator.ip": "203.0.113.198", "threatintel.indicator.last_seen": "2021-06-19T19:39:25.532Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.198", "threatintel.indicator.type": "ipv4-addr", "threatintel.recordedfuture.entity.id": "ip:203.0.113.198", "threatintel.recordedfuture.entity.type": "IpAddress", @@ -308,7 +308,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.179", "event.risk_score": 15.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -327,6 +326,7 @@ "threatintel.indicator.geo.country_name": "India", "threatintel.indicator.ip": "192.0.2.179", "threatintel.indicator.last_seen": "2021-06-19T19:39:11.694Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.179", "threatintel.indicator.type": "ipv4-addr", "threatintel.recordedfuture.entity.id": "ip:192.0.2.179", "threatintel.recordedfuture.entity.type": "IpAddress", @@ -370,7 +370,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.245", "event.risk_score": 5.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -389,6 +388,7 @@ "threatintel.indicator.geo.country_name": "Vietnam", "threatintel.indicator.ip": "192.0.2.245", "threatintel.indicator.last_seen": "2021-06-19T19:38:57.372Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.245", "threatintel.indicator.type": "ipv4-addr", "threatintel.recordedfuture.entity.id": "ip:192.0.2.245", "threatintel.recordedfuture.entity.type": "IpAddress", diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/test/url.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/recordedfuture/test/url.ndjson.log-expected.json index b341365e428f..779d86ae9652 100644 --- a/x-pack/filebeat/module/threatintel/recordedfuture/test/url.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/recordedfuture/test/url.ndjson.log-expected.json @@ -4,7 +4,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://d6s.example.net/nzy/vvc68ke?p5uxwn=1bj", "event.risk_score": 5.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -17,6 +16,7 @@ ], "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://d6s.example.net/nzy/vvc68ke?p5uxwn=1bj", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "d6s.example.net", "threatintel.indicator.url.original": "https://d6s.example.net/nzy/vvc68ke?p5uxwn=1bj", @@ -48,7 +48,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://ga7v9u.example.org/bnqv8e2v8/qb49?7kq=iw61", "event.risk_score": 5.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -61,6 +60,7 @@ ], "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://ga7v9u.example.org/bnqv8e2v8/qb49?7kq=iw61", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "ga7v9u.example.org", "threatintel.indicator.url.original": "https://ga7v9u.example.org/bnqv8e2v8/qb49?7kq=iw61", @@ -92,7 +92,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://cdmw.example.net/c20fwa/wwn?dlz53=z6ovc", "event.risk_score": 5.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -105,6 +104,7 @@ ], "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://cdmw.example.net/c20fwa/wwn?dlz53=z6ovc", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "cdmw.example.net", "threatintel.indicator.url.original": "https://cdmw.example.net/c20fwa/wwn?dlz53=z6ovc", @@ -136,7 +136,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://4mne.example.local/ns2rk8f/wngtk2xz?vceuk7wl6=3p0", "event.risk_score": 5.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -149,6 +148,7 @@ ], "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://4mne.example.local/ns2rk8f/wngtk2xz?vceuk7wl6=3p0", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "4mne.example.local", "threatintel.indicator.url.original": "https://4mne.example.local/ns2rk8f/wngtk2xz?vceuk7wl6=3p0", @@ -180,7 +180,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://z198hloc8.example.com/f8ih39/f6kou?f6-u3=uwhii", "event.risk_score": 5.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -193,6 +192,7 @@ ], "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://z198hloc8.example.com/f8ih39/f6kou?f6-u3=uwhii", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "z198hloc8.example.com", "threatintel.indicator.url.original": "http://z198hloc8.example.com/f8ih39/f6kou?f6-u3=uwhii", @@ -224,7 +224,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://y484j-fb6.example.local/b97s24xf/prz?sg-x1do=4myont", "event.risk_score": 5.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -237,6 +236,7 @@ ], "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://y484j-fb6.example.local/b97s24xf/prz?sg-x1do=4myont", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "y484j-fb6.example.local", "threatintel.indicator.url.original": "http://y484j-fb6.example.local/b97s24xf/prz?sg-x1do=4myont", @@ -268,7 +268,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://sp2xyqq82.example.local/zxvm093/kat1rcz?vaev0aeod=rc0513", "event.risk_score": 5.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -281,6 +280,7 @@ ], "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://sp2xyqq82.example.local/zxvm093/kat1rcz?vaev0aeod=rc0513", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "sp2xyqq82.example.local", "threatintel.indicator.url.original": "http://sp2xyqq82.example.local/zxvm093/kat1rcz?vaev0aeod=rc0513", @@ -312,7 +312,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://zh4o7xc.example.com/-yiq/vg2whtxif?cb0-knk=s6poib5r", "event.risk_score": 5.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -325,6 +324,7 @@ ], "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://zh4o7xc.example.com/-yiq/vg2whtxif?cb0-knk=s6poib5r", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "zh4o7xc.example.com", "threatintel.indicator.url.original": "https://zh4o7xc.example.com/-yiq/vg2whtxif?cb0-knk=s6poib5r", @@ -356,7 +356,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://fiivf4s.example.org/8u2qi/86vfcfq7m?pfb2ensc0=h7imk8io2", "event.risk_score": 5.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -369,6 +368,7 @@ ], "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://fiivf4s.example.org/8u2qi/86vfcfq7m?pfb2ensc0=h7imk8io2", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "fiivf4s.example.org", "threatintel.indicator.url.original": "http://fiivf4s.example.org/8u2qi/86vfcfq7m?pfb2ensc0=h7imk8io2", @@ -400,7 +400,6 @@ "event.dataset": "threatintel.recordedfuture", "event.kind": "enrichment", "event.module": "threatintel", - "event.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://abav9v.example.org/gj93q/7fs7?kcq7=pjaj1", "event.risk_score": 5.0, "event.type": "indicator", "fileset.name": "recordedfuture", @@ -413,6 +412,7 @@ ], "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://abav9v.example.org/gj93q/7fs7?kcq7=pjaj1", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "abav9v.example.org", "threatintel.indicator.url.original": "http://abav9v.example.org/gj93q/7fs7?kcq7=pjaj1", From 221da56b882b7e0e5d41a014d2cf28d04dc4b9f0 Mon Sep 17 00:00:00 2001 From: Ryland Herrick Date: Fri, 3 Sep 2021 14:12:21 -0500 Subject: [PATCH 6/9] Run `make update` in filebeat --- filebeat/docs/fields.asciidoc | 12 +++++++++++- filebeat/docs/modules/threatintel.asciidoc | 2 +- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 1a1d8abab2e6..2f09ee70d736 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -152063,6 +152063,16 @@ type: keyword Identifies the name of specific dataset from the intelligence source. +type: keyword + +-- + +*`threatintel.indicator.reference`*:: ++ +-- +Reference URL linking to additional information about this indicator. + + type: keyword -- @@ -152077,7 +152087,7 @@ type: ip -- -*`threatintel.indicator.domain`*:: +*`threatintel.indicator.url.domain`*:: + -- Identifies a threat indicator as a domain (irrespective of direction). diff --git a/filebeat/docs/modules/threatintel.asciidoc b/filebeat/docs/modules/threatintel.asciidoc index f637b8beb6cd..71ec12ff9f54 100644 --- a/filebeat/docs/modules/threatintel.asciidoc +++ b/filebeat/docs/modules/threatintel.asciidoc @@ -68,7 +68,7 @@ Abuse.ch URL Threat Intel is mapped to the following ECS fields. [options="header"] |============================================================== | URL Threat Intel Fields | ECS Fields -| url | threat.indicator.url.full +| url | threatintel.indicator.url.full | date_added | @timestamp | host | threatintel.indicator.ip/domain |============================================================== From b1bbd3ecbbc2a265adf474a9f0caee6378da742f Mon Sep 17 00:00:00 2001 From: Marius Iversen Date: Tue, 7 Sep 2021 10:23:35 +0200 Subject: [PATCH 7/9] fixing duplicate fields --- x-pack/filebeat/module/threatintel/_meta/docs.asciidoc | 2 +- x-pack/filebeat/module/threatintel/_meta/fields.yml | 4 ---- x-pack/filebeat/module/threatintel/fields.go | 2 +- 3 files changed, 2 insertions(+), 6 deletions(-) diff --git a/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc b/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc index 3b3a0882044d..c183d2104180 100644 --- a/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc @@ -468,7 +468,7 @@ Anomali ThreatStream fields are mapped to the following ECS fields: | date_first | threatintel.indicator.first_seen | date_last | threatintel.indicator.last_seen | detail | tags -| domain | threatintel.indicator.domain +| domain | threatintel.indicator.url.domain | email | threatintel.indicator.email.address | itype<> | threatintel.indicator.type | lat | threatintel.indicator.geo.location.lat diff --git a/x-pack/filebeat/module/threatintel/_meta/fields.yml b/x-pack/filebeat/module/threatintel/_meta/fields.yml index 83fa64029133..1ef368f528ee 100644 --- a/x-pack/filebeat/module/threatintel/_meta/fields.yml +++ b/x-pack/filebeat/module/threatintel/_meta/fields.yml @@ -81,10 +81,6 @@ type: ip description: > Identifies a threat indicator as an IP address (irrespective of direction). - - name: indicator.url.domain - type: keyword - description: > - Identifies a threat indicator as a domain (irrespective of direction). - name: indicator.port type: long description: > diff --git a/x-pack/filebeat/module/threatintel/fields.go b/x-pack/filebeat/module/threatintel/fields.go index 38fa5d034edf..84f4fed3ea60 100644 --- a/x-pack/filebeat/module/threatintel/fields.go +++ b/x-pack/filebeat/module/threatintel/fields.go @@ -19,5 +19,5 @@ func init() { // AssetThreatintel returns asset data. // This is the base64 encoded zlib format compressed contents of module/threatintel. func AssetThreatintel() string { - return "eJzsfVtzGzmy5nv/igzuQ0sTFC3JkqetiN4NtSS3FSvLHl3cE7PeoMGqJIkRCigDKNKcE+e/n8Cl7hdSYtFnzsTwRSKrCvkhM5FIIBNZB/CEqzPQc4lEU66R/QSgqWZY/VEiQ6LwDCaoyU8AIapA0lhTwc/gf/8EAPBgHwD7BKMz5AHCO8pwYn79IMKE4egngClFFqoz+8gBcBLVaJlPiFOSMD22d5/BlDCF/pJexXgGMymSOLu5BsZ83llKMJUiAj3HIpUcWJQBM58iuCJAykMaEC3kaEql0mOFyLObUkgh0Vj4sQWVYxXau4HwEDSNEJZz5GXWKZHIAMHSA4mxkBpDUHQ215TPQM+pKsDqQMzIDwVsyG2FN31E1fAywWeb4b1NoglKEFMLVlWow5IoEBOFcoEhBIKHSeBBWhUmgaYLqlddKA2iGsAnXC2FDDfk6SpGgzCHRZRhnESF3PBusoKLlenGRwuVTBgC5XD/cP1XOB4djkqtXX2PMTBPLQhLUJWuAfwJSKIFF5FI1IFaKY1R/Q6p6ZQEunYhpBIDLeSqfkVEhPIDw5vaNYwIZQckDGXt0pSy+v00Xpw0307jxZvmKxEJWi4kGr/Xfo2lCFDVeaPEVC+JrGNKJKv/plAekCAQCa+zakl5KJbqQOKMKi1XB09Y59r3g9PDtwcBGn4byWOHmhX0Zzttu7SXJnYsoG3A6J7RdMHTIeB0LjeVnaM0IJyjHCtN9DYj9cLw0UA5//zq6vIOFshDIQ1KokElgRHYNGFsBSFqp+ERYTSgIlFWkUBIeLy76cIaS7GgIcrtOHgdIjcS8yw0RKyBmWPZDqbUuhAFgk9paG7vFVPeLEhiLRpRis54LtgUHCTKXLa2pPCUCghD9TzLcis03McYGBjhEG4FxyHciOUQPmBIk2gI7+lsXnvs8ODosPbjeRhRSRjVK7g3UGDv6ODNfu22y9vr9PrpwdvT+g1/XH1Kb7iOYqEUNcbzAC5QakL5fodonEOwE1VRjkuBdzrcrBQSTYAqCERkJGK8lS7NMbcr1LvF54nkrlPDRN8FUuIU5fbafZc2YwY4MMqf7CQtgIQhNQ8QBpRPhYyINWNkIhL9DE+DxjV8pZ824yBJ3YbSRE44XH8yQCUqBXtUSjTs1XRhWe3mVCr4fhfARLKRm2N7k3cLWj+VvxSo8fa2mAQ2wGcoAHdu3QtBWo9k5EWya4Zy5wBtqwERkUbpR5rVdfV53qYkUzO0b4x3DZ+k0CIQDNScSDOoPJ1u0w9E4lnd1s6prrtOv8vyisP9em7kV/v1DsNOFuhgjmGt+8UVIDSs3YqtES0iGlQIt3FxDSehbkBd8wUNsN6LBw4EmAgIA+QLKgWPkGtAHsaCGs9HAke9FPIJcIFcjxrx277tDL5tPfVldt6Xysqp366kju3OelLXT1K3Jc9RTWfTGhlSMaBVbtR48cjptwRTK0mY6aAZvVo4fmRLQHBLwJFd19d+zszs+f1t1bUCSCwRtgKacx5JMM8YJrilds01So4VJQDA7ySKGZ7B0enRm7eNLBFyRjj9h53URw2Lyy51oTMuJI7JRCwMjcPjk8oNUcI0HTdJpAhB4/fq6i6n3HKRCxmp8l5V+ikp8cdC9yy5Vhb9LsSMIdzcXHQ6W26tuZUWGo9vpLSs7Ltsze01o/dCcG0Gnt1NWkpq1ywOhqWrqqwB+CTihFm1dtMskZKsGhuwnrXX/ZRJI3gnJJi1T20LAtLn0nsdAti7u/p9fP+3IZi/V3/9dH57Ob7/2/7QOZpqLhIWwgQLWKiuLncABEffvoeA3xLj2irreDvC5kFL5cPjzcO1pWlppM0yBpM66gWR1O4NMeQzPXfN8yRC6T35oVlHzw27TNuXf3y8u7T7eObbX8y3Uldq7U8Q4oznFqJhaIgBjQjLN6ycOu/haAZfB0eDr/utWv3z/xtcnH2RmnyRGI61jr9MKP8SrUgcj/A7Dv7/z40qGpMaW/tTzXcJY5bCECgPWBIaeczpAoemecsu6wO19KnGtPf/9+bDl/uP7x7+OL+7+vKBBlIoMdVf/nAbRHD78OUikRK5/oxSUcG/XEdk5jbM4eo7Bklly8d9Plq46suSctNlw64vlzhJZrPKFJIyrQl0f1y7LeyBWEp2CGrkrbLvBFvfLOsP6l06qI04y1ypm9QZiq2saUD1atz3xFXqzgXVq+6544PgWiJhzQAF15Qj17tFWdSPjGQr4lsh9RzOreEiLbATruVqTJUYByLcIXsdIbi+/wiGUCvmi/NOoLvVAQ+yUw0uCCdhMzete1i3Ml7dUYytL9yF4EbwGdVJ6OJCjGj7pd3w/wcMmOCDMzj48+vRm6OTX14fDmHAiB6cwcnp6PTw9O3RL/CfzfbfTMuC7172d5bOJqI/+MtFF9KdCt+j7JT9XxKcYNBh56aU4SjGEY3iOVHzDXYYOkG2Lk4G52Daz7bLo1hIrYByIPDpym7jj+Ccg8cBBwdmBeZugwoyMFcDwo1fkii3uplSPkMZS7N0m1BOpF2ULJADmWqUIDEQUUyZ81GEBKHnKK14DxgusGwktSRcZbuKCuZkgSCCwMzX4RCWcxrMYWndvmBO+AwhEhLNY9mupO2F2zQpS+cGieTufqJhrnWszl69Wi6XoymViCscBSJ6NWFi9sptKx0Y74rIYP7q+PDo5NXh0SstSfBE+ewgImxJJB44Ph0Ymsa9nOuIjQY/NejDYfDml8PXwQm+PT4+Mv+EATl9++Y1IeHrN2E4XaMpW02JNSm2NdLWULExzWqNwZrRBesXI+AD3aavP6tU/QytIdApkAWhzDja9TVJikupELHamf6ROTKWpZsii8LTncOKwtNnYVJzcrR7Xs3J0XNRHZ+++RG4jk/fPBfZ61+qk8JOkL3+5eS5yE6Pjn8EstOj47XIXrjRuO1eRgrUEmlGpOg/mhGt2enroPazAi00YbbtZqrP9EM2J1x3PlKS+F0jV22+5bZ0s9abiUc0wnG/u8wF4h+uP1xVRNwYuNtqtqwF/bbEf+mie97/SiTL94QGxvlARpSmwSgQg/4E2s+AQmZTtDShPI1WMMzx5DFqIemMcrsl9S1BpRv7MZVkFmFtVbPLbnwS0rmdGfO9V2q+ff1fXwui0CJu4f80YdVUpG2CJlPbIDze3dignvd1CNfGm16JRBrXGgKicGhgrgrbnEoLiXVbTjl8TSQbmXa/GicZrYttNxadEKmyfjhXWrpcIyHB7x2apw03bKyl1nQ13wBKoQIn9P5488gjEdpcllyjrMwUKLQ5jznURmjmcys0unAT5VlgJBKcaiEpnw2dwqYZiI93NxCRld1EzgRjeSiRVLfjLauJzYsCJmbKtWWaoArEVCOHvycuBTPLJHQRdKLndaQPJQFF6HUgezprnSigupQ5OQSzqmKobQ4WFy3xvpgo1SCGnQ45TzIdc94itOF71r7yWtJ6XiFbGOCv3FquZZBXsiigyz1w69MzHzp4vkVqxXhy8roZ3bcEaymguzb/lqZXz7CUweiu+MBJU19q7Rn+f/vVz3SNckipfv0/X81gwO8BS0IM8ymmSHRkrCixQyObnrgwz9oRWcsmBdMkF8Uu2SbsveYasXQnic7uGhaIOh7gd6p03SLYqIxNOYl1js92xT3x1bdS2TcJ6dRmWGlKNMIE9bKetAEurr4UdjpQzbrhQmYoMRz37bqYXszpbI7WpqVkrEl2pIa2w3GM2XBXycRdqov3nZDpfsiwEBi0TfoUqKmQMJgKMfL3jQIRDYyABsUfWiypi4J4NoeoUUaUY2gmuoAqZCsvK2BUaWD0CV1aZjJhNACVTKe0mrcM7t69udbx2atX7lZ350jI2f4IHuQqTYyLYym+04hon104WYGiUcxWoMlT3VA44dqUfSNhRibIlIs0cqHBTltLZMwy5eHmUuWmLBCj5KnFkKlgjjvc+6wryb0l2G537UZbG9hUW36wbcvoWrvvPUQ3/6/gW0KYc0L8PTZH04Umazm4AISxtPPmRmu7MHaT91wo7R5PeOjdztp4HQFcc+skSE0JY1VDDzVEQ7tFO/Xp4phedyEFsLuqKSTr0lgEAeFc1D280lgZFjiTWdZaByfIxLJ5BHeO+rKBKLLeLYSI0qNo5RtyOu7GPlG6YdA7A54KaU6Uyy+JbTh+YQaTmObkChqpksnxSCWTo5KZGTaOzxyumwW8M+6ZU2hrMHTmhQvQklBmrEKMkoqwZYdExGML8/lWu48RgNOpz4fUIvYqk+ah4sPN5f4QCFMCnrhYcsO1nNX1RYI1iEMjq8ykGWVOtaYwjEb1WaBKv9b8NH/CCMqqxL/kNGCngLYZIBfY5nNBolDuNBLWsITzJFvd//qGzffTw7db7dgolJSwcUc2Xw99bVis2ow/RzzN26NKJfmJj8I5IyCJngtJtU+DMotxYzp5sKobHmvaM1U2/imL58TnFQ3NWjDfE3CLkTQ/SCQaAsGEMds8hCSOURrfsUYimBNJAo2yluaVhaxOT9/99tvbiz9fXv327vDtL4dvL4+OLy7Om6PutuM7Y36WzWDImIHWwtmLlCtI7RbIJVWa8llC1RxD18je5e2+mT4vRBQJ7n+7uN0fQogxcpt8JHjL7kJrztHFr4/3Q/j465Wf6a55MISPj7/aeS23XUO4uM3uuX9/fmzP58C5Uokk5TMb7nNvVvuyLdVBJZO/Y+3U4I5ySAoc93TBrF5+JNs9m+8ffr0wDo+QnJIh3Px6Tzi8MwykKhAFMQyNHEaW6WpOJIajGRMTwjKRcGzeqiRMGzNmzK1NJdhZXmZN4DdmonF+i2VxAYn3vvbuz2/3R46DLktyQeTKmJymY43pJxsk1i4UhWnTtifWbhjRsFXm3OSHaFAN4fL2Hpp4AbBnmlxSFgZEhsp4DjwsH8GoJ5NmIh38qbgD3jFNKDrjRCdyy4NNH1zkHqYkomxlWe2G414xqtVwMIRMEoU+7r92uuoAkB6NFxLOTZMX7zNM/hj/deEwPjTOffnZBNYQbmnXzs7J+10aQINZYmRmp7HHu5s5SQria0DRJJkXoyjJh646CSeSGXDjUCw5EyTsg/6Nz8yCvce7m323EQwrkViPMiUEBAIRr5xtpO4wbCfSBZWJssHCkUSVMN0H1PPP/mCugStdyv6GIIxbUN3vdyimTBD9QgxmUeca3hQHo/ypF6lR/pTmm3/Omve1EFrG8iaBwh80jmkvqmvWddeXhWDXRoOn6cDo1nLwZsN4CHLtGLYH2RPVFwsCl9wNrtWUHY93NyP4lB5HLhyqA8EZ5TgEMZ2af5zjzO3CtxO5SxLrC7U/yRgIe1ZROI/IajRV4Ked8mH7BkgTRoIns1ZVI5XICesD3P3j3W83ecuerS28NHdgaFnIhR67r5sijknkzHlPwH17cNmEvwuUL6Ei+5Ltw5JqjRLmhIessDR2VFywcu4qkLjSLVWhw56QQLjgq0gkar8TPCNSY5M9mQjBkPDNoV873wtVIaSMJVgG9ASRF5CLbOPT7oClNQ/2tExsrNIe0drvHFdk1ostOHe7NobbZKaAKCUCWj5J8y1BSV1Zi7RP9bmCi4gw2tdU4Vr755giGk7qd6QubUGyXLCjg2hMzEDhfdH1zW3a5QVhNBxPpYgaAITVZVUn9T/myMsEbfzelZSaioTbHAxbe4IrM0LcSW8aNuFKsyJ2hcruPjYQyU3KBFlv87OPdElkxROyGaIm3W+4thUEt7FWVYlhcas5i6+YBRFVWeTFmuZluuGRnb5qEltzAaEt7Fnh8kb6bMvJ9cIz01CaBeCqda0hHbjTpX0Qv/quJbEHf82QyW5dYEqkVZUaedLTavmhNIpMI0O7RCyq0ARhkOqN3Q8Z2kX2e6LmB/fvz49P3wyaIAq79TP2dSGMg97b2LNFhzKP31NqWB+5Wcr5pEpLJNFO5r/7atMdtQehYXpsUjxGlMqCoX3wre4GEV4QPVUQS7ogLhXL5quQNJo0Re8MZxtL/gpbVTfEKu70Wdro0D9Rvj/bPvN3dXKkqeBVyg01ryY+rdWhCIlKZF7qIQgSSYIV7Nm+H5pReHR4uF+qf1UU98+GYRhSF80inLCVpoECjcGcCyZmK9NExuBuVz1ETSg7buhZrVJAZ8cubTvOyhg9bbQhBb5fR97hnaxsmA1Ojjtx/iD3rYmyRTpWqJQ9w9cLkAIId1THN+/WMoERtl3GFG2k4CU16Abdl5m+LpnotYNuQGLtA/KDoftmDXf6hcbpf4lktZSBwUSktwTHhWaC4/xX+xwM6HHsf4sIy26ttmeuZfTNl/yRKDxN//VNxkQ+YehviedUzdNnq826i8UbfRMqINz/blbjhS4o/0C1KZWo2FUELNyshTQ3W8tnvkjkemzPzqG0pDplHxHWIv00xvAc8eclyiTOiLTbKiRb8LkowBAIXHy+gutLm1lDuDujSLQmwRPY6jVGb4eNa8jNRmH1ENgL1dm4DtY+bU5ZoguqjRNJ+4BwZ5wtY7kf767rULxBXhMwwAVKqld9wLmQVNPA1S1sEo/fV7MzsS9sGceMVq3TWsvAxHIIka+qOKez+RAWKFcH5t/uzlru99HVe1+WuF38UJyizs3MWjiL0YptbJjT38SQ49M4k1YpqmHdJii6upJ9KZdMQx5EczXCEpdsweFO/0nLRGkMxwGVAcMxDXvxxvMZ1LcPrn1/dCHKdgI3HedJHBKNPYnx0TYG15fr9u57IXZ380ybZgdlb4HPS1usqFC9bHOrQONhtjNgj3b5ZV4UntZXVX7SmZB/EFIviPuy9VQacvrNNvrPGEEuI2xa7/6Y+PE/xQazyzVoAlUs89oArn5Uv/sMo4tTN+etPP/Ea17TPWvZrXQ9t+uyLdql3SDx7W6MwwzMRhCbV0FIm/odOcpaTct1R67XHrhOVTc96zZzZMC44qBdEdGqRUohXT/sGs31QyuQwraRi1A1KHBN1N2zY17g0O/D+iydJVGgkklEtYszeoKscaAHIsSxsS69OJoiRGuqzAqiWPo4nbqqYzs/E63qBWRfaO2v7z/9d4WOzrWWdJJUvIJS5cigJ++jVKXxQkRRwo17n7tMtRKnBRC7wLABZbfO8Cn9jRCeNwK8lF1mvLVxp3ZnzZ9NhaM03T4SSkPgV0HNM8tU9KIAeeXvdDOelpbXpU34VkbZ7Uw17ydEnQW03JlgYx2y9puIJ0l/G3GPjxW1qG2nl2p8Ns3qz4veZW+CEVNXdLNK2fbfb7412ud0CI/rr9B4iY6+F0uICF/lDfsj7dyf3rRVplzFz7Ussm+L0SSKe+FT1tqLmRVS5TrVUxjhstCec5ILI8YY9sbBIkUsVLoLOGYiaEqXe/awuUdtX/PjYgOzRGIIgrvpxQawbPKuoeZKClO1Vnzm5p7STnzCuU/jsqBKgqPKU2s4+16xMuP+tOpcw9Isze0rmBqVqcmyFcr0SMpnYzvv9zRFlaMBtmUMHSwF2a6LWjt1hVSRCTNGQVqVbFb4l8ix0KKNoTtCYVqnuibaJnS23Eioxj/CdAPVENkq/Y5qi4sx6g+JqLgZTbNoB3MMmD4TdUS1PvZLAO1KUiVwL8Bli873aKEajBJhhSCwxEjo+jtbyi5zj7rU7jZT7ksnNtqtLHmv/AKcCs4+1awFqT9ovT3WPjWwBatVzD6w9q2VLXhtnleqoGrFg7S4xgZ6mrl3PSprPqyz1p87pnNYfSb16NJrLDaBVjrj7jeAabw4GboKiISH9rhudxcConFWfdHfNlnwvr0tujK49dWTzv1LGRuzlQpSEC3BkZeqco65UOo/0cKsOAPC2CpV5LQIy/XlfTfEXU1N3dztxmRv6dEl9O9WsWLtB+GapdDzF41lQFkWeUYHw2H1dZw2mojSH7RWazRxR2vJkr3PO2Bsq00WmL/EeAUiqpXFe/EepW1KQURCzN49k+GkWiGbdqPZ1ULFtlfQx/TtV+73ik5mb8PLcXUrKDLs69BDdbgUzjhEYlEsSbW5iH/MCitDiry0zOphgvUpqbuY/j96/7l5aNF8ZG2EsIO9W3kDGZPrypEF+yoryfVjrf6GkL5y2jMalfP1WUa7rXsycNVI5+TIB64PlAwG9QiG0MWKKNsEMD4+/PV/wNGXf583gH+fN/hXP2+Q5wcGQoYYTpPG4gr1cd6Zob+ZGbjzNOGdJbq5SShsC9raIxUmtQf014S7r2xrLvcqczzzF4xWo+7rXpJA6/H2dfH4DSLyGcxyADb95CU1aHx29PZ4dDg6Hh29HrSirO3o9I2T24pfn63xS6PkvmZMJ/5NwNfGVd/gm/LFyzCv43NX3mTQqKE2o+eimq68VUHOYpmD6hi6Lr4n2pB1LBedaZAZ1ngsCZ81VwprubgG6519PYuYwvUntTYds/imolT6h6+O3rS8joiqp75G/h1VT348P3eUB3nqcasmTlYNxXg2UkMLrEAC9g4PTmpv9mtEc0MmWM11gn4GRw2VPc05go/cytq9gf6RJyohbAj32emAIXwgLP33M8pV/r29S7hw55bc4Zx64aG8ZgnRGnlDafSN+/SzyqjVU9iruFQgGmoMtx+peh53betG2m/fdojbjIH7pgLU0I+g80Q7C+ouYZiXH3dVzacksOd6pv41GDx7RJq719j4V6cn7dbd9i6JIlIre71J99aW4NqQB04cDsaa3phen54UeeXj12yVcW1U7++6d+IWedLy6ltoP/GWfzrej5vzo9OxK2OxAm6VTENaJzxX62RJ4UY//VcAAAD//8vbIqM=" + return "eJzsfVtzGzmy5nv/igzuQ8sTFC3JkqetiN4NtSR3K1aWPbp0T8x6gwarkiyMUEAZQJHmnDj//QQudb+Qkoo+cyZGLzbrgvyQmUgkkImsfXjE9SnoSCLRlGtkPwBoqhnWL0pkSBSewgw1+QEgRBVImmgq+Cn87x8AAO7tC2DfYHSBPEB4TxnOzNUPIkwZTn4AmFNkoTq1r+wDJ3GDlvkLcU5Spqf26VOYE6bQ39LrBE9hIUWa5A83wJi/95YSzKWIQUdYplIAi3Ng5q8MrgyQ8pAGRAs5mVOp9FQh8vyhDFJINJYudqByrEL7NBAegqYxwipCXmWdEqkMECw9kJgIqTEERReRpnwBOqKqBKsHMSPfFbAh9yK82SuqgZcJvtgO700az1CCmFuwqkYdVkSBmCmUSwwhEDxMAw/SqjAJNF1Sve5DaRA1AD7ieiVkuCVP1wkahAUsogzjJCrkhnezNZyvTTc+WqhkxhAoh7v7q7/C0eRgUmnt8luCgXlrSViKqnIP4E9AUi24iEWq9tVaaYybT0hN5yTQjRshlRhoIdfNOyImlO8b3jTuYUwo2ydhKBu35pQ1n6fJ8rj9cZos37bfiUnQcSPV+K1xNZEiQNXkjRJzvSKyiSmVrHlNodwnQSBS3mTVivJQrNS+xAVVWq73H7HJtW/7Jwfv9gM0/DaSxx41K+nPy7Ttwt6a2bGAtgGje0bTBc+GgNO5wlT2jtKAcI5yqjTRLxmp54aPBsrZ768vL25hiTwU0qAkGlQaGIHNU8bWEKJ2Gh4TRgMqUmUVCYSEh9vrPqyJFEsaonwZB69C5EZinoWGiDUwEVbtYEatD1Eg+JyG5vFBMRXNgiTWohGl6IIXgs3AQarMbWtLSm+pgDBUT7MsN0LDXYKBgRGO4UZwHMO1WI3hA4Y0jcfwG11EjdcO9g8PGhfPwphKwqhew52BAnuH+29fNR67uLnK7p/svztpPvDH5afsgas4EUpRYzz34RylJpS/6hGNcwh2oirKcSnwToeblUKiCVAFgYiNRIy30qc55nGFerf4PJHCdWqZ6PtASpyjfLl232bNmAEOjPJHO0kLIGFIzQuEAeVzIWNizRiZiVQ/wdOgSQNf5dJ2HCSZ21CZyAmHq08GqESlYI9KiYa9mi4tq92cSgV/1Wu4hGxKenvbuhkkGArAnbf0TJB2op/4ng6ml51cteReytiYSKNLE82aKvA0J06SuRkx18ZphU9SaBEIBioi0uiqp9NvUYFIPG2asIjqpkfyq6w68u7qmZFf4+othr0s0EGEYaP75YUVtCyJyq0RLWIa1Ah3cXEDJ6Fpl1zzJQ2wToEHDgSYCAgD5EsqBY+Ra0AeJoIah0ICR70S8hFwiVxPWvHbvu0Mvm09cxF23pfagmTYrmT+4s560tRP0rQlT1FNZ9NaGVIzoHVuNHjxwOnXFDMrSZjpoBm9Wjh+5CsrcCuriV0uNy7nZvbs7qbusQCklghbAy04jySIcoYJbqldcY2SY00JAPAbiROGp3B4cvj2XStLhFwQTv9h58pJy5qtT13ogguJUzITS0Pj4Oi49kCcMk2nbRIpQ9D4rb5oKih33ORCxqq6BZT9VZT4Y6l7llwni34VYsEQrq/Pe30Yt4R7kRYaR2qitKxtZ7yY2xtG77ng2gw8u0mzktQuBRwMS1fVWQPwSSQps2rtplkiJVm3NmAdVq/7GZMm8F5IMEuKxsoesveyZx0C2Lu9/HV697cxmH8v//rp7OZieve3V2Pnv6lIpCyEGZawUF1fRQAIjr59DwG/psZjVNafdYTNi5bKh4fr+ytL09LImmUMZk3USyKp3XJhyBc6cs3zNEbpHeSxWZ5Ghl2m7Ys/Pt5e2O0x8+sv5lelK432ZwhJznML0TA0xIDGhBX7QE6d93CygC+jw9GXV51a/eP/G52ffpaafJYYTrVOPs8o/xyvSZJM8BuO/v+PrSqakAZbh1PN9yljlsIYKA9YGhp5RHSJY9O8ZZf1gTr61GDab//3+sPnu4/v7/84u738/IEGUigx15//cPsucHP/+TyVErn+HaWign++isnC7UPD5TcM0tpOivv7aOGqzyvKTZcNuz5f4CxdLGpTSMa0NtDDce2mtLVgKdkhqJF3yr4XbHMPajiot9mgNuKscqVpUhcoXmRNA6rX06Enrkp3zqle988dHwTXEglrByi4phy53i3Ksn7kJDsR3wipIzizhot0wE65luspVWIaiHCH7HWE4OruIxhCnZjPz3qB7lYHPMheNTgnnITt3LTuYdPKeHVHMbW+cB+Ca8EXVKehC7cwou2PbsP/HzBigo9OYf/PbyZvD49/enMwhhEjenQKxyeTk4OTd4c/wX+2238zLQu+e9nfWjrbiH7/L+d9SHcqfI+yV/Z/SXGGQY+dm1OGkwQnNE4ioqItdhh6QXYuTkZnYNrPd6HjREitgHIg8OnS7o5P4IyDxwH7+2YF5h6DGjIwdwPCjV+SKre6mVO+QJlIs3SbUU6kXZQskQOZa5QgMRBxQpnzUYQEoSOUVrz7DJdYNZJaEq7yzToFEVkiiCAw83U4hlVEgwhW1u0LIsIXCLGQaF7LN/tsL9ymSVU610gkd88TDZHWiTp9/Xq1Wk3mVCKucRKI+PWMicVrt620b7wrIoPo9dHB4fHrg8PXWpLgkfLFfkzYikjcd3zaNzSNexnpmE1GP7Tow0Hw9qeDN8Exvjs6OjT/CQNy8u7tG0LCN2/DcL5BU140JTak2NVIV0PlxjRrNAYbRhdsXoyAjx+bvv6oMvUztMZA50CWhDLjaDfXJBkupULEemeGR+bIWJZuiywOT3YOKw5PnoRJReRw97yKyOFTUR2dvP0euI5O3j4V2Zuf6pPCTpC9+en4qchODo++B7KTw6ONyJ650fjSvYwMqCXSjkjRf7Qj2rDT10PtRwVaaMJs2+1Un+iHbE+46XxkJPGbRq66fMuX0s1bbyce0xinw+4yl4h/uPpwWRNxc7qs5mM8YzvO5qsMh//Ctpf5X6lkxZ7QyDgfyIjSNJgEYjScQIcZUMhs5pMmlGfRCoYFniL0KyRdUG63pL6mqHRrP+aSLGJsrGp22Y1PQjq3M2e+90rNry//60tJFFokHfyfp6ye4fOSoMncNggPt9c2qOd9HcK18abXIpXGtYaAKBwbmOvSNqfSQmLTllMOX1LJJqbdL8ZJRuti241FJ0SqrB/OlZYuhUdI8HuH5m3DDRtraTRdD+NDJVTghD4cbx54LEKbIlJolJWZAoU2lbCA2grN/N0IjS7cRHkeGIkFp1pIyhdjp7BZYt/D7TXEZG03kXPBWB5KJPXteMtqYtONgImFcm2ZJqgCMdfI4e+py2zME/RcBJ3oqIn0viKgGL0O5G/nrRMFVFcSEsdgVlUMtU1t4qIj3pcQpVrEsNMh50lmY85bhC58T9pX3khaRzWypQH+2q3lOgZ5LYsC+twDtz499aGDp1ukTozHx2/a0X1NsZFZuWvzb2l69QwriYHujg+ctPWl0Z7h/9ef/UzXKoeM6pf/88UMBvwWsDTEsJhiykQnxooSOzTy6YkL864dkY0kTTBNclHukm3CPmvuEUt3lur8qXGJqOMBfqNKNy2CjcrYlJNEF/hsV9wbX3wrtX2TkM5t4pKmRCPMUK+aSRvg4uorYacD1a4bLmSGEsPp0K6L6UVEFxFam5aRsSbZkRrbDicJ5sNdpTN3qyne90Jm+yHjUmDQNuneMSMLRnMhJv65SSDikRHQqHyhw5K6KIhnc4gaZUw5hmaiC6hCtvayAkaVBkYf0WU7pjNGA1DpfE7r6cDgnt2LtE5OX792j7onJ0IuXk3gXq6zfLMkkeIbjYn2SXuzNSgaJ2wNmjw2DYUTrs2ENxJmZIZMuUgjFxrstLVCxixT7q8vVGHKAjFJHzsMmQoi3OHeZ1NJ7izBbrtrN9q6wGba8p1tW07X2n3vIbr5fw1fU8KcE+KfsamPLjTZSG0FIIxlnTcPWtuFiZu8I6G0ez3loXc7G+N1AnDFrZMgNSWM1Q09NBCN7Rbt3GdhY3bfhRTA7qpmkKxLYxEEhHPR9PAqY2Vc4kxuWRsdnCETq/YR3DvqqwaizHq3ECJKT+K1b8jpuBv7ROmWQe8MeCakiCiXX5LYcPzSDCYxL8iVNFKls6OJSmeHFTMzbh2fBVw3C3hn3DOn1NZo7MwLF6AlocxYhQQlFWHHDolIphbm0632ECMA53OfD6lF4lXGd3QP768vXo2BMCXgkYsVN1wrWN1cJFiDODayyk2aUeZMa0rDaNKcBer0G83PizeMoKxK/EtOA3YK6JoBCoFtPxekCuVOI2EtSzhPstP9b27YfDs5ePeiHRuFkhI27cnmG6CvLYtVm/HniGd5e1SptDhIUTq+AyTVkZBU+zQosxg3ppMH66bhsaY9V2Xjn7IkIj6vaGzWgsWegFuMZPlBItUQCCaM2eYhpEmC0viODRJBRCQJNMpGmlcesjo5ef/LL+/O/3xx+cv7g3c/Hby7ODw6Pz9rj7rbju+M+Xk2gyFjBloHZ88zriC1WyAXVGnKFylVEYaukb2Lm1dm+jwXcSy4v3Z+82oMISbIbfKR4B27C505R+c/P9yN4ePPl36mu+LBGD4+/GzntcJ2jeH8Jn/m7rezI3vsBc6USiWpHoVwf3dmtS+7Uh1UOvs7Ng7j7SiHpMRxTxfM6uV7st2z+e7+53Pj8AjJKRnD9c93hMN7w0CqAlESw9jIYWKZriIiMZwsmJgRlouEY/tWJWHamDFjbm0qwc7yMhsCvzYTjfNbLItLSLz3tXd3dvNq4jjosiSXRK6NyWk7LZj95YPE2oWyMG3a9szaDSMats6dm+JsCqoxXNzcQRsvAPZMkyvKwoDIUBnPgYfVIxjNZNJcpKM/lXfAe6YJRRec6FS+8LzQBxe5hzmJKVtbVrvhuFeOarUcDCGzVKGP+2+crnoAZCfOhYQz0+T5bzkmfzr+qnTGHVrnvuJsAmsJt3RrZ+/k/T4LoMEiNTKz09jD7XVE0pL4WlC0SebZKCryoetewqlkBtw0FCvOBAmHoH/tM7Ng7+H2+pXbCIa1SK1HmRECAoFI1s42UnfGtBfpkspU2WDhRKJKmR4C6tnv/ryrgStdyv6WIIxbUN/vdyjmTBD9TAxmUeca3hYHo/xxEKlR/pjlm/+eN+9LDHSM5W0Chd9pHNNBVNes664uSsGurQZP2znMF8vBmw3jIciNY9ieD0/VUCwIXHI3uFYzdjzcXk/gU3bKt3SoDgRnlOMYxHxu/uMcZ24Xvr3IXZLYUKj9ScZA2LOKwnlEVqOpAj/tVM+wt0CaMRI8mrWqmqhUztgQ4O4ebn+5Llr2bO3gpXkCQ8tCLvTU/dwWcUJiZ84HAu7bg4s2/H2gfGUSOZRs71dUa5QQER6y0tLYUXHBysgV9nAVUepChz0hgXDB17FI1ate8IxIjW32ZCYEQ8K3h37lfC9UpZAyVmAZ0DNEXkIu8o1PuwOWlRLY0zK1sUp7ROtV77gii0FswZnbtTHcJgsFRCkR0OpJmq8pSuqqRWR9as4VXMSE0aGmCtfaP8cU0XIAvid16QUkq3UweogmxAwUPhRd39y2XV4SRsPpXIq4BUBYX1b1Uv8jQl4laOP3rlLTXKTc5mDYkg5cmRHiTnrTsA1XlhWxK1R297GFSGFSZsgGm599pEsiK5+QzRG16X7LvRdBcBtrdZUYl7ea8/iKWRBRlUderGleZRse+emrNrG11+V5gT0r3d5Kn22VtkF4ZhrKsgBcEawNpAN3unQI4pfftCT24K8ZMvmjS8yIdKpSK08GWi3fV0aRaWRsl4hlFZohjDK9sfshY7vI/o2oaP/ut7Ojk7ejNojCbv1MfV0I46APNvZsLZ/c4/eUWtZHbpZyPqnSEkm8k/nvrt50T0k/aJke2xSPEaXyYOgQfGu6QYSXRE8VJJIuiUvFsvkqJIsmzdE7w/nGkr/D1vUNsZo7fZo1OvZvVJ/Pt8/8U70caasjlXFDRfXEp406FCNRqSxKPQRBKkmwhj3b9wMzCg8PDl5VykqVxf2jYRiG1EWzCCdsrWmgQGMQccHEYm2ayBnc76qHqAllRy09a1QK6O3YhW3HWRmjp602pMT3q9g7vLO1DbPB8VEvzu/kvrVRtkinCpWyZ/gGAVIC4Y7q+ObdWiYwwrbLmLKNFLyiBv2ghzLTVxUTvXHQjUiifUB+NHa/rOHOftAk+18qWSNlYDQT2SPBUamZ4Ki4at+DET1K/LWYsPzRenvmXk7f/CheicOT7L++yYTIRwz9I0lEVZS9W2/W3Sw/6JtQAeH+ulmNl7qg/Av1plSqEldor/SwFtI8bC2f+SGR66k9O4fSkuqVfUxYh/SzGMNTxF9U/pK4INJuq5B8weeiAGMgcP77JVxd2Mwawt0ZRaI1CR7BVq8xejtuXUNuNwrrh8Ceqc7GdbD2aXvKEl1QbZpKOgSEW+NsGcv9cHvVhOIN8oaAAS5RUr0eAs65pJoGrhxgm3j8vpqdiX29yCRhtG6dNloGJlZjiH2xwoguojEsUa73zX/7O2u5P0RX73y1327xQ3mKOjMza+ksRie2qWHOcBNDgU/jQlqlqId126Do+kr2uVwyDXkQ7UX+KlyydXx7/SctU6UxnAZUBgynNBzEGy9mUN8+uPb90YU43wncdpynSUg0DiTGB9sYXF1s2rsfhNjt9RNtmh2UgwU+L2yxolL1su2tAk3G+c6APdrll3lxeNJcVflJZ0b+QUizzuzz1lNZyOkX2+g/YwS5irBtvft94sf/FBvMLtegDVS5emoLuOZR/f4zjC5O3Z638vQTr0Wp9Lxlt9L13G7KtmyXdoPEt7s1DjMwW0FsXwUha+pX5CgbNS03HbneeOA6U93srNvCkQHjioN2RUTrFimDdHW/azRX951ASttGLkLVosANUffPjkWBQ78P67N0VkSBSmcx1S7O6Amy1oEeiBCnxroM4miKEK2pMiuIckXhbOqqj+3iTLRqFpB9prW/uvv03xU6OtNa0lla8woqlSODgbyPSpXGcxHHKTfufeEyNUqclkDsAsMWlN06w6f0t0J42gjwUnaZ8dbGndidNX82FQ6zdPtYKA2BXwW1zyxzMYgCFAW1s814WlleVzbhOxlltzNVNEyIOg9ouTPBxjrk7bcRT9PhNuIeHmpq0dhOr9T4bJvVnxa9yz+wIuau6Gadsu2/33xrtc/ZEJ42v0zxHB39TawgJnxdNOyPtHN/etNWmXIVPzeyyH6ERZM4GYRPeWvPZlZIlevUQGGEi1J7zkkujRhj2FsHixSJUNku4JSJoC1d7snD5g61/XqOiw0sUokhCO6mFxvAssm7hporKUzVRvGZhwdKO/EJ5z6Ny4KqCI4qT63l7HvNykyH06ozDSuzNLdfNmpVpjbLVirTIylfTO28P9AUVY0G2JYxdLAU5LsuauPUFVJFZswYBWlVsl3hnyPHUos2hu4IhVmd6oZo29DZciOhmn4P0w1UQ2yr9DuqHS7GZDgkouZmtM2iPcwxYIZM1BH1+tjPAbQrSVXAPQOXLTo/oIVqMUqElYLAEmOhm59CqbrMA+pSt9tMuS+d2Gq38uS96ndlajiHVLMOpP6g9cuxDqmBHVitYg6BdWit7MBr87wyBVVrHmTFNbbQ09y9G1BZi2Gdt/7UMV3AGjKpR1c+Y7ENtMoZd78BTJPl8dhVQCQ8tMd1+7sQEI2L+vfzXpIF79t7QVdGN7560pn/1mFrtlJJCqIjOPJcVS4wl0r9p1qYFWdAGFtnipwVYbm6uOuHuKupqZ+7/ZjsIwO6hP7bKlaswyDcsBR6+qKxCijPIs/pYDiuf+XSRhNR+oPWaoMm7mgtWbH3RQeMbbXJAtFzjFcg4kZZvGfvUdqmFMQkxPzbMzlOqhWyeT+aXS1UbHslfcy+fuWu13Qy/8hcgatfQZHhUIce6sOldMYhFstySartRfx9Vlg5UuSVZdYAE6xPSd3F9P/R+8/tQ4sWI2srhD3sfZE3kDO5qRx5sK+2ktw81ppfCBkqpz2nUTtfn2e027onI1eNNCKHPnC9r2QwakYwhC5XRHlJAOPj/V//Bxx9+fd5A/j3eYN/9fMGRX5gIGSI4TxtLa7QHOe9GfrbmYFbTxPeW6Lbm4TStqCtPVJjUndAf0O4+9K25nKvcsez+MBoPeq+6SMJtBlv3xSP3yIin8OsBmCzv6KkBk1OD98dTQ4mR5PDN6NOlI0dnaFxclvx63dr/LIoua8Z04t/G/CNcTU0+LZ88SrMq+TMlTcZtWqozeg5r6crv6ggZ7nMQX0MXZU/v2zIOpaL3jTIHGsylYQv2iuFddzcgPXWfp5FzOHqk9qYjln+UlEm/YPXh287PkdE1eNQI/+Wqkc/np86yoMi9bhTE2frlmI8W6mhBVYiAXsH+8eNL/u1orkmM6znOsEwg6OByp7mnMBHbmXtPuz+wFOVEjaGu/x0wBg+ZF/kH8PvKNfF7+4u4dKdW3KHc5qFh4qaJURr5C2l0bfu048qp9ZMYa/jUoFoqTHcfaTqady1rRtpv3vXI24zBu7aClDDMIIuEu0sqNuUYVF+3FU1n5PAnuuZ+89g8PwVaZ7eYONfnxx3W3fbuzSOSaPs9Tbd21iCa0seOHE4GBt6Y3p9clzmlY9fs3XOtUmzv5u+iVvmScenb6H7xFvx1/N93IIfvY5dFYsVcKdkWtI64alaJysKN/nhvwIAAP//BunvQg==" } From 4e039624531369ebb37e9484914bccb2603d8c0c Mon Sep 17 00:00:00 2001 From: Marius Iversen Date: Tue, 7 Sep 2021 14:02:48 +0200 Subject: [PATCH 8/9] mage fmt update --- filebeat/docs/fields.asciidoc | 10 ---------- filebeat/docs/modules/threatintel.asciidoc | 2 +- 2 files changed, 1 insertion(+), 11 deletions(-) diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 2f09ee70d736..6b410d38f2bb 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -152087,16 +152087,6 @@ type: ip -- -*`threatintel.indicator.url.domain`*:: -+ --- -Identifies a threat indicator as a domain (irrespective of direction). - - -type: keyword - --- - *`threatintel.indicator.port`*:: + -- diff --git a/filebeat/docs/modules/threatintel.asciidoc b/filebeat/docs/modules/threatintel.asciidoc index 71ec12ff9f54..4fe241ab4e0a 100644 --- a/filebeat/docs/modules/threatintel.asciidoc +++ b/filebeat/docs/modules/threatintel.asciidoc @@ -473,7 +473,7 @@ Anomali ThreatStream fields are mapped to the following ECS fields: | date_first | threatintel.indicator.first_seen | date_last | threatintel.indicator.last_seen | detail | tags -| domain | threatintel.indicator.domain +| domain | threatintel.indicator.url.domain | email | threatintel.indicator.email.address | itype<> | threatintel.indicator.type | lat | threatintel.indicator.geo.location.lat From 5d7443c63f202b864527f615b6afffd8278eff6a Mon Sep 17 00:00:00 2001 From: Marius Iversen Date: Tue, 7 Sep 2021 15:53:17 +0200 Subject: [PATCH 9/9] linting --- .../abusemalware/ingest/pipeline.yml | 262 +++---- .../threatintel/anomali/ingest/pipeline.yml | 283 ++++--- .../anomalithreatstream/ingest/pipeline.yml | 732 +++++++++--------- .../malwarebazaar/ingest/pipeline.yml | 393 +++++----- .../threatintel/misp/ingest/pipeline.yml | 537 +++++++------ .../threatintel/otx/ingest/pipeline.yml | 291 ++++--- .../recordedfuture/ingest/pipeline.yml | 60 +- 7 files changed, 1271 insertions(+), 1287 deletions(-) diff --git a/x-pack/filebeat/module/threatintel/abusemalware/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/abusemalware/ingest/pipeline.yml index 25d2ca6358de..5e24b68c52ee 100644 --- a/x-pack/filebeat/module/threatintel/abusemalware/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/abusemalware/ingest/pipeline.yml @@ -1,138 +1,138 @@ description: Pipeline for parsing Abuse.ch Malware Threat Intel processors: - #################### - # Event ECS fields # - #################### - - set: - field: event.ingested - value: "{{_ingest.timestamp}}" - - set: - field: event.kind - value: enrichment - - set: - field: event.category - value: threat - - set: - field: event.type - value: indicator + #################### + # Event ECS fields # + #################### + - set: + field: event.ingested + value: "{{_ingest.timestamp}}" + - set: + field: event.kind + value: enrichment + - set: + field: event.category + value: threat + - set: + field: event.type + value: indicator - ###################### - # General ECS fields # - ###################### - - rename: - field: json - target_field: threatintel.abusemalware - ignore_missing: true + ###################### + # General ECS fields # + ###################### + - rename: + field: json + target_field: threatintel.abusemalware + ignore_missing: true - ##################### - # Threat ECS Fields # - ##################### - - date: - field: threatintel.abusemalware.firstseen - target_field: threatintel.indicator.first_seen - formats: - - "yyyy-MM-dd HH:mm:ss z" - - "yyyy-MM-dd HH:mm:ss Z" - - "yyyy-MM-dd HH:mm:ss" - if: "ctx?.threatintel?.abusemalware.firstseen != null" - - set: - field: threatintel.indicator.type - value: file - - rename: - field: threatintel.abusemalware.file_size - target_field: threatintel.indicator.file.size - ignore_missing: true - - rename: - field: threatintel.abusemalware.file_type - target_field: threatintel.indicator.file.type - ignore_missing: true - # This includes a direct link to malicious files, we do not want them to appear in Kibana - # in case they are accidently clicked. - - remove: - field: threatintel.abusemalware.urlhaus_download - ignore_missing: true - - convert: - field: threatintel.indicator.file.size - type: long - ignore_missing: true - - rename: - field: threatintel.abusemalware.md5_hash - target_field: threatintel.indicator.file.hash.md5 - ignore_missing: true - - rename: - field: threatintel.abusemalware.sha256_hash - target_field: threatintel.indicator.file.hash.sha256 - ignore_missing: true - - rename: - field: threatintel.abusemalware.imphash - target_field: threatintel.indicator.file.pe.imphash - ignore_missing: true - - rename: - field: threatintel.abusemalware.ssdeep - target_field: threatintel.indicator.file.hash.ssdeep - ignore_missing: true - - rename: - field: threatintel.abusemalware.tlsh - target_field: threatintel.indicator.file.hash.tlsh - ignore_missing: true - - append: - field: related.hash - value: "{{ threatintel.indicator.file.hash.md5 }}" - if: ctx?.threatintel?.indicator?.file?.hash?.md5 != null - - append: - field: related.hash - value: "{{ threatintel.indicator.file.hash.sha256 }}" - if: ctx?.threatintel?.indicator?.file?.hash?.sha256 != null - - append: - field: related.hash - value: "{{ threatintel.indicator.file.hash.ssdeep }}" - if: ctx?.threatintel?.indicator?.file?.hash?.ssdeep != null - - append: - field: related.hash - value: "{{ threatintel.indicator.file.pe.imphash }}" - if: ctx?.threatintel?.indicator?.file?.pe?.imphash != null - - append: - field: related.hash - value: "{{ threatintel.indicator.file.hash.tlsh }}" - if: ctx?.threatintel?.indicator?.file?.hash?.tlsh != null + ##################### + # Threat ECS Fields # + ##################### + - date: + field: threatintel.abusemalware.firstseen + target_field: threatintel.indicator.first_seen + formats: + - "yyyy-MM-dd HH:mm:ss z" + - "yyyy-MM-dd HH:mm:ss Z" + - "yyyy-MM-dd HH:mm:ss" + if: "ctx?.threatintel?.abusemalware.firstseen != null" + - set: + field: threatintel.indicator.type + value: file + - rename: + field: threatintel.abusemalware.file_size + target_field: threatintel.indicator.file.size + ignore_missing: true + - rename: + field: threatintel.abusemalware.file_type + target_field: threatintel.indicator.file.type + ignore_missing: true + # This includes a direct link to malicious files, we do not want them to appear in Kibana + # in case they are accidently clicked. + - remove: + field: threatintel.abusemalware.urlhaus_download + ignore_missing: true + - convert: + field: threatintel.indicator.file.size + type: long + ignore_missing: true + - rename: + field: threatintel.abusemalware.md5_hash + target_field: threatintel.indicator.file.hash.md5 + ignore_missing: true + - rename: + field: threatintel.abusemalware.sha256_hash + target_field: threatintel.indicator.file.hash.sha256 + ignore_missing: true + - rename: + field: threatintel.abusemalware.imphash + target_field: threatintel.indicator.file.pe.imphash + ignore_missing: true + - rename: + field: threatintel.abusemalware.ssdeep + target_field: threatintel.indicator.file.hash.ssdeep + ignore_missing: true + - rename: + field: threatintel.abusemalware.tlsh + target_field: threatintel.indicator.file.hash.tlsh + ignore_missing: true + - append: + field: related.hash + value: "{{ threatintel.indicator.file.hash.md5 }}" + if: ctx?.threatintel?.indicator?.file?.hash?.md5 != null + - append: + field: related.hash + value: "{{ threatintel.indicator.file.hash.sha256 }}" + if: ctx?.threatintel?.indicator?.file?.hash?.sha256 != null + - append: + field: related.hash + value: "{{ threatintel.indicator.file.hash.ssdeep }}" + if: ctx?.threatintel?.indicator?.file?.hash?.ssdeep != null + - append: + field: related.hash + value: "{{ threatintel.indicator.file.pe.imphash }}" + if: ctx?.threatintel?.indicator?.file?.pe?.imphash != null + - append: + field: related.hash + value: "{{ threatintel.indicator.file.hash.tlsh }}" + if: ctx?.threatintel?.indicator?.file?.hash?.tlsh != null - ###################### - # Cleanup processors # - ###################### - - set: - field: threatintel.indicator.type - value: unknown - if: ctx?.threatintel?.indicator?.type == null - - script: - lang: painless - if: ctx?.threatintel != null - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null); + ###################### + # Cleanup processors # + ###################### + - set: + field: threatintel.indicator.type + value: unknown + if: ctx?.threatintel?.indicator?.type == null + - script: + lang: painless + if: ctx?.threatintel != null + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - } - handleMap(ctx); - - remove: - field: - - threatintel.abusemalware.firstseen - - message - ignore_missing: true + } + } + handleMap(ctx); + - remove: + field: + - threatintel.abusemalware.firstseen + - message + ignore_missing: true on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/threatintel/anomali/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/anomali/ingest/pipeline.yml index 678aafb25fef..eccbf5e9826e 100644 --- a/x-pack/filebeat/module/threatintel/anomali/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/anomali/ingest/pipeline.yml @@ -1,153 +1,152 @@ description: Pipeline for parsing Anomali Threat Intel processors: + #################### + # Event ECS fields # + #################### + - set: + field: event.ingested + value: "{{_ingest.timestamp}}" + - set: + field: event.kind + value: enrichment + - set: + field: event.category + value: threat + - set: + field: event.type + value: indicator -#################### -# Event ECS fields # -#################### -- set: - field: event.ingested - value: '{{_ingest.timestamp}}' -- set: - field: event.kind - value: enrichment -- set: - field: event.category - value: threat -- set: - field: event.type - value: indicator + ###################### + # General ECS fields # + ###################### + - rename: + field: json + target_field: threatintel.anomali + ignore_missing: true -###################### -# General ECS fields # -###################### -- rename: - field: json - target_field: threatintel.anomali - ignore_missing: true - -##################### -# Threat ECS Fields # -##################### -## File indicator operations -- date: - field: threatintel.anomali.created - formats: - - "yyyy-MM-dd'T'HH:mm:ssz" - - "yyyy-MM-dd'T'HH:mm:ssZ" - - "yyyy-MM-dd'T'HH:mm:ss.Sz" - - "yyyy-MM-dd'T'HH:mm:ss.SZ" - - "yyyy-MM-dd'T'HH:mm:ss.SSz" - - "yyyy-MM-dd'T'HH:mm:ss.SSZ" - - "yyyy-MM-dd'T'HH:mm:ss.SSSz" - - "yyyy-MM-dd'T'HH:mm:ss.SSSZ" - if: "ctx?.threatintel?.anomali?.created != null" -- date: - field: threatintel.anomali.modified - target_field: threatintel.anomali.modified - formats: - - "yyyy-MM-dd'T'HH:mm:ss.Sz" - - "yyyy-MM-dd'T'HH:mm:ss.SZ" - - "yyyy-MM-dd'T'HH:mm:ss.SSz" - - "yyyy-MM-dd'T'HH:mm:ss.SSZ" - - "yyyy-MM-dd'T'HH:mm:ss.SSSz" - - "yyyy-MM-dd'T'HH:mm:ss.SSSZ" - if: "ctx?.threatintel?.anomali?.modified != null" -- date: - field: threatintel.anomali.valid_from - target_field: threatintel.indicator.first_seen - formats: - - "yyyy-MM-dd'T'HH:mm:ss.Sz" - - "yyyy-MM-dd'T'HH:mm:ss.SZ" - - "yyyy-MM-dd'T'HH:mm:ss.SSz" - - "yyyy-MM-dd'T'HH:mm:ss.SSZ" - - "yyyy-MM-dd'T'HH:mm:ss.SSSz" - - "yyyy-MM-dd'T'HH:mm:ss.SSSZ" - if: "ctx?.threatintel?.anomali?.valid_from != null" -- grok: - field: threatintel.anomali.pattern - patterns: - - "^\\[%{DATA:_tmp.threattype}:value%{SPACE}=%{SPACE}'%{DATA:_tmp.threatvalue}'\\]" -- rename: - field: _tmp.threattype - target_field: threatintel.indicator.type - ignore_missing: true -- rename: - field: _tmp.threatvalue - target_field: threatintel.indicator.ip - ignore_missing: true - if: "['ipv4-addr', 'ipv6-addr'].contains(ctx?.threatintel?.indicator?.type)" -- uri_parts: - field: _tmp.threatvalue - target_field: threatintel.indicator.url - keep_original: true - remove_if_successful: true - if: ctx?.threatintel?.indicator?.type == 'url' -- set: - field: threatintel.indicator.url.full - value: '{{{threatintel.indicator.url.original}}}' - ignore_empty_value: true -- rename: - field: _tmp.threatvalue - target_field: threatintel.indicator.email.address - ignore_missing: true - if: ctx?.threatintel?.indicator?.type == 'email-addr' -- rename: - field: _tmp.threatvalue - target_field: threatintel.indicator.url.domain - ignore_missing: true - if: ctx?.threatintel?.indicator?.type == 'domain-name' -- set: - field: threatintel.indicator.type - value: unknown - if: ctx?.threatintel?.indicator?.type == null -- foreach: - field: threatintel.anomali.labels - ignore_missing: true - processor: - append: - field: tags - value: "{{_ingest._value}}" - allow_duplicates: false -- grok: - field: threatintel.anomali.description - patterns: - - "^%{GREEDYDATA}Source: %{GREEDYDATA:threatintel.indicator.provider}" - ignore_missing: true - ignore_failure: true -###################### -# Cleanup processors # -###################### -- script: - lang: painless - if: ctx?.threatintel != null - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null); - } - void handleList(List list) { - for (def x : list) { + ##################### + # Threat ECS Fields # + ##################### + ## File indicator operations + - date: + field: threatintel.anomali.created + formats: + - "yyyy-MM-dd'T'HH:mm:ssz" + - "yyyy-MM-dd'T'HH:mm:ssZ" + - "yyyy-MM-dd'T'HH:mm:ss.Sz" + - "yyyy-MM-dd'T'HH:mm:ss.SZ" + - "yyyy-MM-dd'T'HH:mm:ss.SSz" + - "yyyy-MM-dd'T'HH:mm:ss.SSZ" + - "yyyy-MM-dd'T'HH:mm:ss.SSSz" + - "yyyy-MM-dd'T'HH:mm:ss.SSSZ" + if: "ctx?.threatintel?.anomali?.created != null" + - date: + field: threatintel.anomali.modified + target_field: threatintel.anomali.modified + formats: + - "yyyy-MM-dd'T'HH:mm:ss.Sz" + - "yyyy-MM-dd'T'HH:mm:ss.SZ" + - "yyyy-MM-dd'T'HH:mm:ss.SSz" + - "yyyy-MM-dd'T'HH:mm:ss.SSZ" + - "yyyy-MM-dd'T'HH:mm:ss.SSSz" + - "yyyy-MM-dd'T'HH:mm:ss.SSSZ" + if: "ctx?.threatintel?.anomali?.modified != null" + - date: + field: threatintel.anomali.valid_from + target_field: threatintel.indicator.first_seen + formats: + - "yyyy-MM-dd'T'HH:mm:ss.Sz" + - "yyyy-MM-dd'T'HH:mm:ss.SZ" + - "yyyy-MM-dd'T'HH:mm:ss.SSz" + - "yyyy-MM-dd'T'HH:mm:ss.SSZ" + - "yyyy-MM-dd'T'HH:mm:ss.SSSz" + - "yyyy-MM-dd'T'HH:mm:ss.SSSZ" + if: "ctx?.threatintel?.anomali?.valid_from != null" + - grok: + field: threatintel.anomali.pattern + patterns: + - "^\\[%{DATA:_tmp.threattype}:value%{SPACE}=%{SPACE}'%{DATA:_tmp.threatvalue}'\\]" + - rename: + field: _tmp.threattype + target_field: threatintel.indicator.type + ignore_missing: true + - rename: + field: _tmp.threatvalue + target_field: threatintel.indicator.ip + ignore_missing: true + if: "['ipv4-addr', 'ipv6-addr'].contains(ctx?.threatintel?.indicator?.type)" + - uri_parts: + field: _tmp.threatvalue + target_field: threatintel.indicator.url + keep_original: true + remove_if_successful: true + if: ctx?.threatintel?.indicator?.type == 'url' + - set: + field: threatintel.indicator.url.full + value: "{{{threatintel.indicator.url.original}}}" + ignore_empty_value: true + - rename: + field: _tmp.threatvalue + target_field: threatintel.indicator.email.address + ignore_missing: true + if: ctx?.threatintel?.indicator?.type == 'email-addr' + - rename: + field: _tmp.threatvalue + target_field: threatintel.indicator.url.domain + ignore_missing: true + if: ctx?.threatintel?.indicator?.type == 'domain-name' + - set: + field: threatintel.indicator.type + value: unknown + if: ctx?.threatintel?.indicator?.type == null + - foreach: + field: threatintel.anomali.labels + ignore_missing: true + processor: + append: + field: tags + value: "{{_ingest._value}}" + allow_duplicates: false + - grok: + field: threatintel.anomali.description + patterns: + - "^%{GREEDYDATA}Source: %{GREEDYDATA:threatintel.indicator.provider}" + ignore_missing: true + ignore_failure: true + ###################### + # Cleanup processors # + ###################### + - script: + lang: painless + if: ctx?.threatintel != null + source: | + void handleMap(Map map) { + for (def x : map.values()) { if (x instanceof Map) { handleMap(x); } else if (x instanceof List) { handleList(x); } + } + map.values().removeIf(v -> v == null); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } } - } - handleMap(ctx); -- remove: - field: - - threatintel.anomali.created - - message - - _tmp - ignore_missing: true + handleMap(ctx); + - remove: + field: + - threatintel.anomali.created + - message + - _tmp + ignore_missing: true on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/threatintel/anomalithreatstream/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/anomalithreatstream/ingest/pipeline.yml index b8b1d2def1cf..22644d79518a 100644 --- a/x-pack/filebeat/module/threatintel/anomalithreatstream/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/anomalithreatstream/ingest/pipeline.yml @@ -1,399 +1,399 @@ description: Pipeline for parsing Anomali ThreatStream processors: -# -# Safeguard against feeding the pipeline with documents other -# that the ones generated by Filebeat's http_endpoint input. -# -- fail: - if: 'ctx.json == null || !(ctx.json instanceof Map)' - message: 'missing json object in input document' + # + # Safeguard against feeding the pipeline with documents other + # that the ones generated by Filebeat's http_endpoint input. + # + - fail: + if: "ctx.json == null || !(ctx.json instanceof Map)" + message: "missing json object in input document" -# -# Set basic ECS fields. -# -- set: - field: event.ingested - value: '{{{ _ingest.timestamp }}}' -- set: - field: event.kind - value: enrichment -- set: - field: event.category - value: threat -- set: - field: event.type - value: indicator + # + # Set basic ECS fields. + # + - set: + field: event.ingested + value: "{{{ _ingest.timestamp }}}" + - set: + field: event.kind + value: enrichment + - set: + field: event.category + value: threat + - set: + field: event.type + value: indicator -# -# Map itype field to STIX 2.0 Cyber Observable values (threatintel.indicator.type). -# -- script: - lang: painless - if: 'ctx.json.itype != null' - description: > - Map itype field to STIX 2.0 Cyber Observable values (threatintel.indicator.type). - params: - actor_ip: ipv4-addr - adware_domain: domain-name - anon_proxy: ipv4-addr - anon_vpn: ipv4-addr - apt_domain: domain-name - apt_email: email-addr - apt_ip: ipv4-addr - apt_md5: file - apt_subject: email - apt_ua: url - apt_url: url - bot_ip: ipv4-addr - brute_ip: ipv4-addr - c2_domain: domain-name - c2_ip: ipv4-addr - c2_url: url - comm_proxy_domain: domain-name - comm_proxy_ip: ipv4-addr - compromised_domain: domain-name - compromised_ip: ipv4-addr - compromised_url: url - crypto_hash: file - crypto_ip: ipv4-addr - crypto_pool: domain - crypto_url: url - crypto_wallet: file - ddos_ip: ipv4-addr - disposable_email_domain: domain-name - dyn_dns: domain-name - exfil_domain: domain-name - exfil_ip: ipv4-addr - exfil_url: url - exploit_domain: domain-name - exploit_ip: ipv4-addr - exploit_url: url - free_email_domain: domain-name - geolocation_url: url - hack_tool: file - i2p_ip: ipv4-addr - ipcheck_url: url - mal_domain: domain-name - mal_email: email-addr - mal_ip: ipv4-addr - mal_md5: file - mal_sslcert_sh1: x509-certificate - mal_sslcert_sha1: x509-certificate - mal_ua: url - mal_url: url - p2pcnc: ipv4-addr - parked_domain: domain-name - parked_ip: ipv4-addr - parked_url: url - pastesite_url: url - phish_domain: domain-name - phish_email: email-addr - phish_ip: ipv4-addr - phish_url: url - proxy_ip: ipv4-addr - scan_ip: ipv4-addr - sinkhole_domain: domain-name - sinkhole_ip: ipv4-addr - spam_domain: domain-name - spam_email: email-addr - spam_ip: ipv4-addr - spam_url: url - speedtest_url: url - ssh_ip: ipv4-addr - suppress: suppress - suspicious_domain: domain-name - suspicious_email: email-addr - suspicious_ip: ipv4-addr - suspicious_reg_email: email-addr - suspicious_url: url - tor_ip: ipv4-addr - torrent_tracker_url: url - vpn_domain: domain-name - vps_ip: ipv4-addr - whois_bulk_reg_email: email-addr - whois_privacy_domain: domain-name - whois_privacy_email: email-addr - source: > - String mapping = params[ctx.json.itype]; - if (mapping != null) { - ctx["threatintel_indicator_type"] = mapping; - } - on_failure: - - append: - field: error.message - value: 'Unable to determine indicator type from "{{{ json.itype }}}": {{{ _ingest.on_failure_message }}}' + # + # Map itype field to STIX 2.0 Cyber Observable values (threatintel.indicator.type). + # + - script: + lang: painless + if: "ctx.json.itype != null" + description: > + Map itype field to STIX 2.0 Cyber Observable values (threatintel.indicator.type). + params: + actor_ip: ipv4-addr + adware_domain: domain-name + anon_proxy: ipv4-addr + anon_vpn: ipv4-addr + apt_domain: domain-name + apt_email: email-addr + apt_ip: ipv4-addr + apt_md5: file + apt_subject: email + apt_ua: url + apt_url: url + bot_ip: ipv4-addr + brute_ip: ipv4-addr + c2_domain: domain-name + c2_ip: ipv4-addr + c2_url: url + comm_proxy_domain: domain-name + comm_proxy_ip: ipv4-addr + compromised_domain: domain-name + compromised_ip: ipv4-addr + compromised_url: url + crypto_hash: file + crypto_ip: ipv4-addr + crypto_pool: domain + crypto_url: url + crypto_wallet: file + ddos_ip: ipv4-addr + disposable_email_domain: domain-name + dyn_dns: domain-name + exfil_domain: domain-name + exfil_ip: ipv4-addr + exfil_url: url + exploit_domain: domain-name + exploit_ip: ipv4-addr + exploit_url: url + free_email_domain: domain-name + geolocation_url: url + hack_tool: file + i2p_ip: ipv4-addr + ipcheck_url: url + mal_domain: domain-name + mal_email: email-addr + mal_ip: ipv4-addr + mal_md5: file + mal_sslcert_sh1: x509-certificate + mal_sslcert_sha1: x509-certificate + mal_ua: url + mal_url: url + p2pcnc: ipv4-addr + parked_domain: domain-name + parked_ip: ipv4-addr + parked_url: url + pastesite_url: url + phish_domain: domain-name + phish_email: email-addr + phish_ip: ipv4-addr + phish_url: url + proxy_ip: ipv4-addr + scan_ip: ipv4-addr + sinkhole_domain: domain-name + sinkhole_ip: ipv4-addr + spam_domain: domain-name + spam_email: email-addr + spam_ip: ipv4-addr + spam_url: url + speedtest_url: url + ssh_ip: ipv4-addr + suppress: suppress + suspicious_domain: domain-name + suspicious_email: email-addr + suspicious_ip: ipv4-addr + suspicious_reg_email: email-addr + suspicious_url: url + tor_ip: ipv4-addr + torrent_tracker_url: url + vpn_domain: domain-name + vps_ip: ipv4-addr + whois_bulk_reg_email: email-addr + whois_privacy_domain: domain-name + whois_privacy_email: email-addr + source: > + String mapping = params[ctx.json.itype]; + if (mapping != null) { + ctx["threatintel_indicator_type"] = mapping; + } + on_failure: + - append: + field: error.message + value: 'Unable to determine indicator type from "{{{ json.itype }}}": {{{ _ingest.on_failure_message }}}' -- rename: - field: threatintel_indicator_type - target_field: threatintel.indicator.type - ignore_missing: true + - rename: + field: threatintel_indicator_type + target_field: threatintel.indicator.type + ignore_missing: true -# -# Detect ipv6 for ipv4-addr types. -# -- set: - field: threatintel.indicator.type - value: ipv6-addr - if: 'ctx.threatintel?.indicator?.type == "ipv4-addr" && ctx.json.srcip != null && ctx.json.srcip.contains(":")' + # + # Detect ipv6 for ipv4-addr types. + # + - set: + field: threatintel.indicator.type + value: ipv6-addr + if: 'ctx.threatintel?.indicator?.type == "ipv4-addr" && ctx.json.srcip != null && ctx.json.srcip.contains(":")' -# -# Map first and last seen dates. -# -- date: - field: json.date_first - target_field: threatintel.indicator.first_seen - formats: - - ISO8601 - if: 'ctx.json.date_first != null' - on_failure: - - append: - field: error.message - value: 'Error parsing date_first field value "{{{ json.date_first }}}": {{{ _ingest.on_failure_message }}}' + # + # Map first and last seen dates. + # + - date: + field: json.date_first + target_field: threatintel.indicator.first_seen + formats: + - ISO8601 + if: "ctx.json.date_first != null" + on_failure: + - append: + field: error.message + value: 'Error parsing date_first field value "{{{ json.date_first }}}": {{{ _ingest.on_failure_message }}}' -- date: - field: json.date_last - target_field: threatintel.indicator.last_seen - formats: - - ISO8601 - if: 'ctx.json.date_last != null' - on_failure: - - append: - field: error.message - value: 'Error parsing date_last field value "{{{ json.date_last }}}": {{{ _ingest.on_failure_message }}}' + - date: + field: json.date_last + target_field: threatintel.indicator.last_seen + formats: + - ISO8601 + if: "ctx.json.date_last != null" + on_failure: + - append: + field: error.message + value: 'Error parsing date_last field value "{{{ json.date_last }}}": {{{ _ingest.on_failure_message }}}' -# -# Map IP geolocation fields. -# -- convert: - field: json.lat - target_field: threatintel.indicator.geo.location.lat - type: double - if: 'ctx.json.lat != null && ctx.json.lon != null' - on_failure: - - append: - field: error.message - value: 'Cannot convert lat field "{{{ json.lat }}}" to double: {{{ _ingest.on_failure_message }}}' -- convert: - field: json.lon - target_field: threatintel.indicator.geo.location.lon - type: double - if: 'ctx.json.lat != null && ctx.json.lon != null' - on_failure: - - append: - field: error.message - value: 'Cannot convert lon field "{{{ json.lon }}}" to double: {{{ _ingest.on_failure_message }}}' + # + # Map IP geolocation fields. + # + - convert: + field: json.lat + target_field: threatintel.indicator.geo.location.lat + type: double + if: "ctx.json.lat != null && ctx.json.lon != null" + on_failure: + - append: + field: error.message + value: 'Cannot convert lat field "{{{ json.lat }}}" to double: {{{ _ingest.on_failure_message }}}' + - convert: + field: json.lon + target_field: threatintel.indicator.geo.location.lon + type: double + if: "ctx.json.lat != null && ctx.json.lon != null" + on_failure: + - append: + field: error.message + value: 'Cannot convert lon field "{{{ json.lon }}}" to double: {{{ _ingest.on_failure_message }}}' -# -# Map classification field to Traffic Light Protocol (TLP). -# Currently: -# public => White ("Disclosure is not limited.") -# private => Amber ("Limited disclosure, restricted to participants’ organizations."). -# -- append: - field: threatintel.indicator.marking.tlp - value: Amber - if: 'ctx.json.classification == "private"' -- append: - field: threatintel.indicator.marking.tlp - value: White - if: 'ctx.json.classification == "public"' + # + # Map classification field to Traffic Light Protocol (TLP). + # Currently: + # public => White ("Disclosure is not limited.") + # private => Amber ("Limited disclosure, restricted to participants’ organizations."). + # + - append: + field: threatintel.indicator.marking.tlp + value: Amber + if: 'ctx.json.classification == "private"' + - append: + field: threatintel.indicator.marking.tlp + value: White + if: 'ctx.json.classification == "public"' -# -# Convert confidence field (-1..100) to ECS confidence (0..10). -# -- script: - lang: painless - description: > - Normalize confidence level. - source: > - def value = ctx.json.confidence; - if (value == null || value < 0.0 || value > 100.0) return; - ctx["threatintel_indicator_confidence"] = (long)Math.round((double)value / 10.0); - on_failure: - - append: - field: error.message - value: 'failed to normalize confidence value `{{{ json.confidence }}}`: {{{ _ingest.on_failure_message }}}' + # + # Convert confidence field (-1..100) to ECS confidence (0..10). + # + - script: + lang: painless + description: > + Normalize confidence level. + source: > + def value = ctx.json.confidence; + if (value == null || value < 0.0 || value > 100.0) return; + ctx["threatintel_indicator_confidence"] = (long)Math.round((double)value / 10.0); + on_failure: + - append: + field: error.message + value: "failed to normalize confidence value `{{{ json.confidence }}}`: {{{ _ingest.on_failure_message }}}" -- rename: - field: threatintel_indicator_confidence - target_field: threatintel.indicator.confidence - ignore_missing: true + - rename: + field: threatintel_indicator_confidence + target_field: threatintel.indicator.confidence + ignore_missing: true -# -# Convert asn field. -# -- convert: - field: json.asn - target_field: threatintel.indicator.as.number - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: 'Cannot convert asn field `{{{ json.asn }}}` to long: {{{ _ingest.on_failure_message }}}' + # + # Convert asn field. + # + - convert: + field: json.asn + target_field: threatintel.indicator.as.number + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: "Cannot convert asn field `{{{ json.asn }}}` to long: {{{ _ingest.on_failure_message }}}" -- rename: - field: json.org - target_field: threatintel.indicator.as.organization.name - ignore_missing: true + - rename: + field: json.org + target_field: threatintel.indicator.as.organization.name + ignore_missing: true -- rename: - field: json.email - target_field: threatintel.indicator.email.address - ignore_missing: true + - rename: + field: json.email + target_field: threatintel.indicator.email.address + ignore_missing: true -- rename: - field: json.srcip - target_field: threatintel.indicator.ip - ignore_missing: true + - rename: + field: json.srcip + target_field: threatintel.indicator.ip + ignore_missing: true -- uri_parts: - field: json.url - target_field: threatintel.indicator.url - keep_original: true - remove_if_successful: true - if: 'ctx.json.url != null' - on_failure: - - append: - field: error.message - value: 'Cannot parse url field `{{{ json.url }}}`: {{{ _ingest.on_failure_message }}}' -- set: - field: threatintel.indicator.url.full - value: '{{{threatintel.indicator.url.original}}}' - ignore_empty_value: true -- rename: - field: json.domain - target_field: threatintel.indicator.url.domain - ignore_missing: true - if: ctx.threatintel?.indicator?.url?.domain == null -- rename: - field: json.country - target_field: threatintel.indicator.geo.country_iso_code - ignore_missing: true + - uri_parts: + field: json.url + target_field: threatintel.indicator.url + keep_original: true + remove_if_successful: true + if: "ctx.json.url != null" + on_failure: + - append: + field: error.message + value: "Cannot parse url field `{{{ json.url }}}`: {{{ _ingest.on_failure_message }}}" + - set: + field: threatintel.indicator.url.full + value: "{{{threatintel.indicator.url.original}}}" + ignore_empty_value: true + - rename: + field: json.domain + target_field: threatintel.indicator.url.domain + ignore_missing: true + if: ctx.threatintel?.indicator?.url?.domain == null + - rename: + field: json.country + target_field: threatintel.indicator.geo.country_iso_code + ignore_missing: true -# -# md5 field can actually contain different kinds of hash. -# Map to file.hash.* depending on hash length. -# -- rename: - field: json.md5 - target_field: threatintel.indicator.file.hash.md5 - if: 'ctx.json.md5 != null && ctx.json.md5.length() == 32' + # + # md5 field can actually contain different kinds of hash. + # Map to file.hash.* depending on hash length. + # + - rename: + field: json.md5 + target_field: threatintel.indicator.file.hash.md5 + if: "ctx.json.md5 != null && ctx.json.md5.length() == 32" -- rename: - field: json.md5 - target_field: threatintel.indicator.file.hash.sha1 - if: 'ctx.json.md5 != null && ctx.json.md5.length() == 40' + - rename: + field: json.md5 + target_field: threatintel.indicator.file.hash.sha1 + if: "ctx.json.md5 != null && ctx.json.md5.length() == 40" -- rename: - field: json.md5 - target_field: threatintel.indicator.file.hash.sha256 - if: 'ctx.json.md5 != null && ctx.json.md5.length() == 64' + - rename: + field: json.md5 + target_field: threatintel.indicator.file.hash.sha256 + if: "ctx.json.md5 != null && ctx.json.md5.length() == 64" -- rename: - field: json.md5 - target_field: threatintel.indicator.file.hash.sha512 - if: 'ctx.json.md5 != null && ctx.json.md5.length() == 128' + - rename: + field: json.md5 + target_field: threatintel.indicator.file.hash.sha512 + if: "ctx.json.md5 != null && ctx.json.md5.length() == 128" -- rename: - field: json.source - target_field: threatintel.indicator.provider - ignore_missing: true + - rename: + field: json.source + target_field: threatintel.indicator.provider + ignore_missing: true -# -# Map field severity to event severity as follows: -# low => 3 -# medium => 5 -# high => 7 -# very-high => 9 -# -- set: - field: event.severity - value: 3 - if: 'ctx.json.severity == "low"' + # + # Map field severity to event severity as follows: + # low => 3 + # medium => 5 + # high => 7 + # very-high => 9 + # + - set: + field: event.severity + value: 3 + if: 'ctx.json.severity == "low"' -- set: - field: event.severity - value: 5 - if: 'ctx.json.severity == "medium"' + - set: + field: event.severity + value: 5 + if: 'ctx.json.severity == "medium"' -- set: - field: event.severity - value: 7 - if: 'ctx.json.severity == "high"' + - set: + field: event.severity + value: 7 + if: 'ctx.json.severity == "high"' -- set: - field: event.severity - value: 9 - if: 'ctx.json.severity == "very-high"' + - set: + field: event.severity + value: 9 + if: 'ctx.json.severity == "very-high"' -# -# Field trusted_circles_ids is a comma-separated string -# that can contain leading and trailing separators (i.e. ",123,"). -# Need a script processor as split processor doesn't support -# removing non-trailing separators. -# -- script: - lang: painless - if: 'ctx.json.trusted_circle_ids != null && ctx.json.trusted_circle_ids instanceof String' - description: > - Convert trusted_circles_ids from CSV to an array. - source: > - def lst = - Stream.of(ctx.json.trusted_circle_ids.splitOnToken(",")) - .filter(s -> !s.isEmpty()) - .toArray(String[]::new); - if (lst.length > 0) { - ctx.json.trusted_circle_ids = lst; - } else { - ctx.json.remove('trusted_circle_ids'); - } - on_failure: - - append: - field: error.message - value: 'unable to split trusted_circle_ids "{{{ json.trusted_circle_ids }}}": {{{ _ingest.on_failure_message }}}' + # + # Field trusted_circles_ids is a comma-separated string + # that can contain leading and trailing separators (i.e. ",123,"). + # Need a script processor as split processor doesn't support + # removing non-trailing separators. + # + - script: + lang: painless + if: "ctx.json.trusted_circle_ids != null && ctx.json.trusted_circle_ids instanceof String" + description: > + Convert trusted_circles_ids from CSV to an array. + source: > + def lst = + Stream.of(ctx.json.trusted_circle_ids.splitOnToken(",")) + .filter(s -> !s.isEmpty()) + .toArray(String[]::new); + if (lst.length > 0) { + ctx.json.trusted_circle_ids = lst; + } else { + ctx.json.remove('trusted_circle_ids'); + } + on_failure: + - append: + field: error.message + value: 'unable to split trusted_circle_ids "{{{ json.trusted_circle_ids }}}": {{{ _ingest.on_failure_message }}}' -# -# Split detail field and append each component to ECS tags field. -# -- split: - field: json.detail - separator: '(? v == null); - } - void handleList(List list) { - for (def x : list) { + ###################### + # Cleanup processors # + ###################### + - set: + field: threatintel.indicator.type + value: unknown + if: ctx?.threatintel?.indicator?.type == null + - script: + lang: painless + if: ctx?.threatintel != null + source: | + void handleMap(Map map) { + for (def x : map.values()) { if (x instanceof Map) { handleMap(x); } else if (x instanceof List) { handleList(x); } + } + map.values().removeIf(v -> v == null); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } } - } - handleMap(ctx); -- remove: - field: - - threatintel.malwarebazaar.first_seen - - threatintel.malwarebazaar.last_seen - - message - ignore_missing: true + handleMap(ctx); + - remove: + field: + - threatintel.malwarebazaar.first_seen + - threatintel.malwarebazaar.last_seen + - message + ignore_missing: true on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/threatintel/misp/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/misp/ingest/pipeline.yml index 1d051cecacf8..8987e591b9b9 100644 --- a/x-pack/filebeat/module/threatintel/misp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/misp/ingest/pipeline.yml @@ -1,241 +1,240 @@ description: Pipeline for parsing MISP Threat Intel processors: + #################### + # Event ECS fields # + #################### + - set: + field: event.ingested + value: "{{_ingest.timestamp}}" + - set: + field: event.kind + value: enrichment + - set: + field: event.category + value: threat + - set: + field: event.type + value: indicator -#################### -# Event ECS fields # -#################### -- set: - field: event.ingested - value: '{{_ingest.timestamp}}' -- set: - field: event.kind - value: enrichment -- set: - field: event.category - value: threat -- set: - field: event.type - value: indicator + ###################### + # General ECS fields # + ###################### + - rename: + field: json.Event + target_field: threatintel.misp + ignore_missing: true + - set: + field: threatintel.indicator.provider + value: misp + if: ctx?.threatintel?.misp?.Orgc?.local != 'false' + - set: + field: threatintel.indicator.provider + value: "{{misp.Orgc.name}}" + if: ctx?.threatintel?.misp?.Orgc?.local == 'false' + ignore_empty_value: true -###################### -# General ECS fields # -###################### -- rename: - field: json.Event - target_field: threatintel.misp - ignore_missing: true -- set: - field: threatintel.indicator.provider - value: misp - if: ctx?.threatintel?.misp?.Orgc?.local != 'false' -- set: - field: threatintel.indicator.provider - value: '{{misp.Orgc.name}}' - if: ctx?.threatintel?.misp?.Orgc?.local == 'false' - ignore_empty_value: true + # Removing fields not needed anymore, either because its copied somewhere else, or is not relevant to this event + - remove: + field: + - threatintel.misp.ShadowAttribute + - threatintel.misp.RelatedEvent + - threatintel.misp.Galaxy + - threatintel.misp.Attribute.Galaxy + - threatintel.misp.Attribute.ShadowAttribute + - threatintel.misp.Object + - threatintel.misp.EventReport + - message + ignore_missing: true + - date: + field: threatintel.misp.timestamp + formats: + - UNIX + ignore_failure: true + - rename: + field: threatintel.misp.Attribute + target_field: threatintel.misp.attribute + ignore_missing: true + - rename: + field: threatintel.misp.Orgc + target_field: threatintel.misp.orgc + ignore_missing: true + - rename: + field: threatintel.misp.Org + target_field: threatintel.misp.org + ignore_missing: true + - rename: + field: threatintel.misp.Attribute + target_field: threatintel.misp.attribute + ignore_missing: true + - rename: + field: threatintel.misp.Tag + target_field: threatintel.misp.tag + ignore_missing: true -# Removing fields not needed anymore, either because its copied somewhere else, or is not relevant to this event -- remove: - field: - - threatintel.misp.ShadowAttribute - - threatintel.misp.RelatedEvent - - threatintel.misp.Galaxy - - threatintel.misp.Attribute.Galaxy - - threatintel.misp.Attribute.ShadowAttribute - - threatintel.misp.Object - - threatintel.misp.EventReport - - message - ignore_missing: true -- date: - field: threatintel.misp.timestamp - formats: - - UNIX - ignore_failure: true -- rename: - field: threatintel.misp.Attribute - target_field: threatintel.misp.attribute - ignore_missing: true -- rename: - field: threatintel.misp.Orgc - target_field: threatintel.misp.orgc - ignore_missing: true -- rename: - field: threatintel.misp.Org - target_field: threatintel.misp.org - ignore_missing: true -- rename: - field: threatintel.misp.Attribute - target_field: threatintel.misp.attribute - ignore_missing: true -- rename: - field: threatintel.misp.Tag - target_field: threatintel.misp.tag - ignore_missing: true + ##################### + # Threat ECS Fields # + ##################### + - rename: + field: threatintel.misp.attribute.first_seen + target_field: threatintel.indicator.first_seen + ignore_missing: true + - rename: + field: threatintel.misp.attribute.last_seen + target_field: threatintel.indicator.last_seen + ignore_missing: true + - convert: + field: threatintel.misp.analysis + type: long + target_field: threatintel.indicator.scanner_stats + ignore_missing: true + - convert: + field: threatintel.misp.threat_level_id + type: long + ignore_missing: true -##################### -# Threat ECS Fields # -##################### -- rename: - field: threatintel.misp.attribute.first_seen - target_field: threatintel.indicator.first_seen - ignore_missing: true -- rename: - field: threatintel.misp.attribute.last_seen - target_field: threatintel.indicator.last_seen - ignore_missing: true -- convert: - field: threatintel.misp.analysis - type: long - target_field: threatintel.indicator.scanner_stats - ignore_missing: true -- convert: - field: threatintel.misp.threat_level_id - type: long - ignore_missing: true + ## File/Hash indicator operations + - set: + field: threatintel.indicator.type + value: file + if: "['md5', 'impfuzzy', 'imphash', 'pehash', 'sha1', 'sha224', 'sha256', 'sha3-224', 'sha3-256', 'sha3-384', 'sha3-512', 'sha384', 'sha512', 'sha512/224', 'sha512/256', 'ssdeep', 'tlsh', 'vhash'].contains(ctx.threatintel?.misp?.attribute?.type) || ctx.threatintel?.misp?.attribute?.type.startsWith('filename')" + - rename: + field: threatintel.misp.attribute.value + target_field: "threatintel.indicator.file.hash.{{threatintel.misp.attribute.type}}" + ignore_missing: true + if: "ctx?.threatintel?.indicator?.type == 'file' && ctx?.threatintel?.misp?.attribute?.type != null && !ctx?.threatintel?.misp?.attribute?.type.startsWith('filename')" + - rename: + field: threatintel.misp.attribute.value + target_field: threatintel.indicator.file.name + ignore_missing: true + if: "ctx?.threatintel?.indicator?.type == 'file' && ctx?.threatintel?.misp?.attribute?.type == 'filename'" + - grok: + field: threatintel.misp.attribute.type + patterns: + - "%{WORD}\\|%{WORD:_tmp.hashtype}" + ignore_missing: true + if: ctx?.threatintel?.misp?.attribute?.type.startsWith('filename|') + - grok: + field: threatintel.misp.attribute.value + patterns: + - "%{DATA:threatintel.indicator.file.name}\\|%{GREEDYDATA:_tmp.hashvalue}" + ignore_missing: true + if: ctx?.threatintel?.misp?.attribute?.type.startsWith('filename|') + - set: + field: threatintel.indicator.file.hash.{{_tmp.hashtype}} + value: "{{_tmp.hashvalue}}" + if: "ctx?.threatintel?.misp?.attribute?.type.startsWith('filename|') && ctx?._tmp?.hashvalue != null && ctx?._tmp?.hashtype != null" -## File/Hash indicator operations -- set: - field: threatintel.indicator.type - value: file - if: "['md5', 'impfuzzy', 'imphash', 'pehash', 'sha1', 'sha224', 'sha256', 'sha3-224', 'sha3-256', 'sha3-384', 'sha3-512', 'sha384', 'sha512', 'sha512/224', 'sha512/256', 'ssdeep', 'tlsh', 'vhash'].contains(ctx.threatintel?.misp?.attribute?.type) || ctx.threatintel?.misp?.attribute?.type.startsWith('filename')" -- rename: - field: threatintel.misp.attribute.value - target_field: "threatintel.indicator.file.hash.{{threatintel.misp.attribute.type}}" - ignore_missing: true - if: "ctx?.threatintel?.indicator?.type == 'file' && ctx?.threatintel?.misp?.attribute?.type != null && !ctx?.threatintel?.misp?.attribute?.type.startsWith('filename')" -- rename: - field: threatintel.misp.attribute.value - target_field: threatintel.indicator.file.name - ignore_missing: true - if: "ctx?.threatintel?.indicator?.type == 'file' && ctx?.threatintel?.misp?.attribute?.type == 'filename'" -- grok: - field: threatintel.misp.attribute.type - patterns: - - "%{WORD}\\|%{WORD:_tmp.hashtype}" - ignore_missing: true - if: ctx?.threatintel?.misp?.attribute?.type.startsWith('filename|') -- grok: - field: threatintel.misp.attribute.value - patterns: - - "%{DATA:threatintel.indicator.file.name}\\|%{GREEDYDATA:_tmp.hashvalue}" - ignore_missing: true - if: ctx?.threatintel?.misp?.attribute?.type.startsWith('filename|') -- set: - field: threatintel.indicator.file.hash.{{_tmp.hashtype}} - value: '{{_tmp.hashvalue}}' - if: "ctx?.threatintel?.misp?.attribute?.type.startsWith('filename|') && ctx?._tmp?.hashvalue != null && ctx?._tmp?.hashtype != null" + ## URL/URI indicator operations + - set: + field: threatintel.indicator.type + value: url + if: "ctx?.threatintel?.misp?.attribute?.type != null && ['url', 'link', 'uri'].contains(ctx?.threatintel?.misp?.attribute?.type)" + - uri_parts: + field: threatintel.misp.attribute.value + target_field: threatintel.indicator.url + keep_original: true + remove_if_successful: true + if: ctx?.threatintel?.indicator?.type == 'url' && ctx?.threatintel?.misp?.attribute?.type != 'uri' -## URL/URI indicator operations -- set: - field: threatintel.indicator.type - value: url - if: "ctx?.threatintel?.misp?.attribute?.type != null && ['url', 'link', 'uri'].contains(ctx?.threatintel?.misp?.attribute?.type)" -- uri_parts: - field: threatintel.misp.attribute.value - target_field: threatintel.indicator.url - keep_original: true - remove_if_successful: true - if: ctx?.threatintel?.indicator?.type == 'url' && ctx?.threatintel?.misp?.attribute?.type != 'uri' + - set: + field: threatintel.indicator.url.full + value: "{{{threatintel.indicator.url.original}}}" + ignore_empty_value: true + if: "ctx?.threatintel?.indicator?.type == 'url' && ctx?.threatintel?.misp?.attribute?.type != 'uri'" -- set: - field: threatintel.indicator.url.full - value: '{{{threatintel.indicator.url.original}}}' - ignore_empty_value: true - if: "ctx?.threatintel?.indicator?.type == 'url' && ctx?.threatintel?.misp?.attribute?.type != 'uri'" + ## Regkey indicator operations + - set: + field: threatintel.indicator.type + value: windows-registry-key + if: "ctx?.threatintel?.misp?.attribute?.type != null && ctx?.threatintel?.misp?.attribute?.type.startsWith('regkey')" + - rename: + field: threatintel.misp.attribute.value + target_field: threatintel.indicator.registry.key + ignore_missing: true + if: "ctx?.threatintel?.indicator?.type == 'windows-registry-key' && ctx?.threatintel?.misp?.attribute?.type == 'regkey'" + - grok: + field: threatintel.misp.attribute.value + patterns: + - "%{DATA:threatintel.indicator.registry.key}\\|%{DATA:threatintel.indicator.registry.value}" + ignore_missing: true + if: "ctx?.threatintel?.misp?.attribute?.type == 'regkey|value'" -## Regkey indicator operations -- set: - field: threatintel.indicator.type - value: windows-registry-key - if: "ctx?.threatintel?.misp?.attribute?.type != null && ctx?.threatintel?.misp?.attribute?.type.startsWith('regkey')" -- rename: - field: threatintel.misp.attribute.value - target_field: threatintel.indicator.registry.key - ignore_missing: true - if: "ctx?.threatintel?.indicator?.type == 'windows-registry-key' && ctx?.threatintel?.misp?.attribute?.type == 'regkey'" -- grok: - field: threatintel.misp.attribute.value - patterns: - - "%{DATA:threatintel.indicator.registry.key}\\|%{DATA:threatintel.indicator.registry.value}" - ignore_missing: true - if: "ctx?.threatintel?.misp?.attribute?.type == 'regkey|value'" + ## AS indicator operations + - set: + field: threatintel.indicator.type + value: autonomous-system + if: "ctx?.threatintel?.misp?.attribute?.type != null && ctx?.threatintel?.misp?.attribute?.type == 'AS'" + - convert: + field: threatintel.misp.attribute.value + type: long + target_field: threatintel.indicator.as.number + ignore_missing: true + if: ctx?.threatintel?.indicator?.type == 'autonomous-system' -## AS indicator operations -- set: - field: threatintel.indicator.type - value: autonomous-system - if: "ctx?.threatintel?.misp?.attribute?.type != null && ctx?.threatintel?.misp?.attribute?.type == 'AS'" -- convert: - field: threatintel.misp.attribute.value - type: long - target_field: threatintel.indicator.as.number - ignore_missing: true - if: ctx?.threatintel?.indicator?.type == 'autonomous-system' + ## Domain/IP/Port indicator operations + - set: + field: threatintel.indicator.type + value: domain-name + if: "ctx?.threatintel?.misp?.attribute?.type != null && (ctx?.threatintel?.misp?.attribute?.type == 'hostname' || ctx?.threatintel?.misp?.attribute?.type.startsWith('domain'))" + - set: + field: threatintel.indicator.type + value: ipv4-addr + if: "ctx?.threatintel?.misp?.attribute?.type != null && ['ip-src', 'ip-src|port', 'ip-dst', 'ip-dst|port'].contains(ctx?.threatintel?.misp?.attribute?.type)" + - rename: + field: threatintel.misp.attribute.value + target_field: threatintel.indicator.url.domain + ignore_missing: true + if: "ctx?.threatintel?.indicator?.type == 'domain-name' && ctx?.threatintel?.misp?.attribute?.type != 'domain|ip' && ctx.threatintel?.indicator?.url?.domain == null" + - rename: + field: threatintel.misp.attribute.value + target_field: threatintel.indicator.ip + ignore_missing: true + if: "ctx?.threatintel?.indicator?.type == 'ipv4-addr' && ctx?.threatintel?.misp?.attribute?.type != 'domain|ip' && !['ip-src|port', 'ip-dst|port'].contains(ctx?.threatintel?.misp?.attribute?.type)" + - grok: + field: threatintel.misp.attribute.value + patterns: + - "%{DATA:threatintel.indicator.url.domain}\\|%{IP:threatintel.indicator.ip}" + ignore_missing: true + if: ctx.threatintel?.misp?.attribute?.type == 'domain|ip' && ctx.threatintel?.indicator?.url?.domain == null + - grok: + field: threatintel.misp.attribute.value + patterns: + - "%{IP:threatintel.indicator.ip}\\|%{NUMBER:threatintel.indicator.port}" + ignore_missing: true + if: "['ip-src|port', 'ip-dst|port'].contains(ctx.threatintel?.misp?.attribute?.type)" -## Domain/IP/Port indicator operations -- set: - field: threatintel.indicator.type - value: domain-name - if: "ctx?.threatintel?.misp?.attribute?.type != null && (ctx?.threatintel?.misp?.attribute?.type == 'hostname' || ctx?.threatintel?.misp?.attribute?.type.startsWith('domain'))" -- set: - field: threatintel.indicator.type - value: ipv4-addr - if: "ctx?.threatintel?.misp?.attribute?.type != null && ['ip-src', 'ip-src|port', 'ip-dst', 'ip-dst|port'].contains(ctx?.threatintel?.misp?.attribute?.type)" -- rename: - field: threatintel.misp.attribute.value - target_field: threatintel.indicator.url.domain - ignore_missing: true - if: "ctx?.threatintel?.indicator?.type == 'domain-name' && ctx?.threatintel?.misp?.attribute?.type != 'domain|ip' && ctx.threatintel?.indicator?.url?.domain == null" -- rename: - field: threatintel.misp.attribute.value - target_field: threatintel.indicator.ip - ignore_missing: true - if: "ctx?.threatintel?.indicator?.type == 'ipv4-addr' && ctx?.threatintel?.misp?.attribute?.type != 'domain|ip' && !['ip-src|port', 'ip-dst|port'].contains(ctx?.threatintel?.misp?.attribute?.type)" -- grok: - field: threatintel.misp.attribute.value - patterns: - - "%{DATA:threatintel.indicator.url.domain}\\|%{IP:threatintel.indicator.ip}" - ignore_missing: true - if: ctx.threatintel?.misp?.attribute?.type == 'domain|ip' && ctx.threatintel?.indicator?.url?.domain == null -- grok: - field: threatintel.misp.attribute.value - patterns: - - "%{IP:threatintel.indicator.ip}\\|%{NUMBER:threatintel.indicator.port}" - ignore_missing: true - if: "['ip-src|port', 'ip-dst|port'].contains(ctx.threatintel?.misp?.attribute?.type)" + ## Email indicator operations + # Currently this ignores email-message, except setting the type it will leave the rest of the fields under misp. + - set: + field: threatintel.indicator.type + value: email-addr + if: "ctx?.threatintel?.misp?.attribute?.type != null && ['email-dst', 'email-src'].contains(ctx.threatintel?.misp?.attribute?.type)" + - set: + field: threatintel.indicator.type + value: email-message + if: "ctx?.threatintel?.misp?.attribute?.type != null && ctx.threatintel?.misp?.attribute?.type.startsWith('email') && !['email-dst', 'email-src'].contains(ctx.threatintel?.misp?.attribute?.type)" + - rename: + field: threatintel.misp.attribute.value + target_field: threatintel.indicator.email.address + ignore_missing: true + if: ctx?.threatintel?.indicator?.type == 'email-addr' -## Email indicator operations -# Currently this ignores email-message, except setting the type it will leave the rest of the fields under misp. -- set: - field: threatintel.indicator.type - value: email-addr - if: "ctx?.threatintel?.misp?.attribute?.type != null && ['email-dst', 'email-src'].contains(ctx.threatintel?.misp?.attribute?.type)" -- set: - field: threatintel.indicator.type - value: email-message - if: "ctx?.threatintel?.misp?.attribute?.type != null && ctx.threatintel?.misp?.attribute?.type.startsWith('email') && !['email-dst', 'email-src'].contains(ctx.threatintel?.misp?.attribute?.type)" -- rename: - field: threatintel.misp.attribute.value - target_field: threatintel.indicator.email.address - ignore_missing: true - if: ctx?.threatintel?.indicator?.type == 'email-addr' + ## MAC Address indicator operations + - set: + field: threatintel.indicator.type + value: mac-addr + if: "ctx?.threatintel?.misp?.attribute?.type != null && ['mac-address', 'mac-eui-64'].contains(ctx.threatintel?.misp?.attribute?.type)" + - rename: + field: threatintel.misp.attribute.value + target_field: threatintel.indicator.mac + ignore_missing: true + if: ctx?.threatintel?.indicator?.type == 'mac-addr' -## MAC Address indicator operations -- set: - field: threatintel.indicator.type - value: mac-addr - if: "ctx?.threatintel?.misp?.attribute?.type != null && ['mac-address', 'mac-eui-64'].contains(ctx.threatintel?.misp?.attribute?.type)" -- rename: - field: threatintel.misp.attribute.value - target_field: threatintel.indicator.mac - ignore_missing: true - if: ctx?.threatintel?.indicator?.type == 'mac-addr' - -################### -# Tags ECS fields # -################### -# Stripping special characters from tags -- script: + ################### + # Tags ECS fields # + ################### + # Stripping special characters from tags + - script: lang: painless if: ctx?.threatintel?.misp?.tag != null source: | @@ -250,57 +249,57 @@ processors: ctx.tags = tags; ctx.threatintel.indicator.marking = [ 'tlp': tlpTags ]; -# Setting indicator type to unknown if it does not match anything -- set: - field: threatintel.indicator.type - value: unknown - if: ctx?.threatintel?.indicator?.type == null + # Setting indicator type to unknown if it does not match anything + - set: + field: threatintel.indicator.type + value: unknown + if: ctx?.threatintel?.indicator?.type == null -###################### -# Cleanup processors # -###################### -- script: - lang: painless - if: ctx?.threatintel != null - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null); - } - void handleList(List list) { - for (def x : list) { + ###################### + # Cleanup processors # + ###################### + - script: + lang: painless + if: ctx?.threatintel != null + source: | + void handleMap(Map map) { + for (def x : map.values()) { if (x instanceof Map) { handleMap(x); } else if (x instanceof List) { handleList(x); } + } + map.values().removeIf(v -> v == null); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } } - } - handleMap(ctx); -# Removing fields not needed anymore, either because its copied somewhere else, or is not relevant to this event -- remove: - field: - - threatintel.misp.attribute.value - ignore_missing: true - if: ctx?.threatintel?.indicator?.type != 'unknown' -- remove: - field: - - threatintel.misp.Attribute.timestamp - - threatintel.misp.timestamp - - threatintel.misp.tag - - threatintel.misp.org - - threatintel.misp.analysis - - _tmp - - json - ignore_missing: true + handleMap(ctx); + # Removing fields not needed anymore, either because its copied somewhere else, or is not relevant to this event + - remove: + field: + - threatintel.misp.attribute.value + ignore_missing: true + if: ctx?.threatintel?.indicator?.type != 'unknown' + - remove: + field: + - threatintel.misp.Attribute.timestamp + - threatintel.misp.timestamp + - threatintel.misp.tag + - threatintel.misp.org + - threatintel.misp.analysis + - _tmp + - json + ignore_missing: true on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/threatintel/otx/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/otx/ingest/pipeline.yml index b00de82d1a5a..4cb3ed37aef7 100644 --- a/x-pack/filebeat/module/threatintel/otx/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/otx/ingest/pipeline.yml @@ -1,162 +1,161 @@ description: Pipeline for parsing MISP Threat Intel processors: + #################### + # Event ECS fields # + #################### + - set: + field: event.ingested + value: "{{_ingest.timestamp}}" + - set: + field: event.kind + value: enrichment + - set: + field: event.category + value: threat + - set: + field: event.type + value: indicator -#################### -# Event ECS fields # -#################### -- set: - field: event.ingested - value: '{{_ingest.timestamp}}' -- set: - field: event.kind - value: enrichment -- set: - field: event.category - value: threat -- set: - field: event.type - value: indicator + ###################### + # General ECS fields # + ###################### + - rename: + field: json + target_field: threatintel.otx + ignore_missing: true -###################### -# General ECS fields # -###################### -- rename: - field: json - target_field: threatintel.otx - ignore_missing: true + ##################### + # Threat ECS Fields # + ##################### + ## File indicator operations + - set: + field: threatintel.indicator.type + value: file + if: "ctx.threatintel?.otx?.type.startsWith('FileHash') || ctx.threatintel?.otx?.type == 'filepath'" + - rename: + field: threatintel.otx.indicator + target_field: threatintel.indicator.file.hash.md5 + ignore_missing: true + if: "ctx.threatintel?.otx?.type == 'FileHash-MD5'" + - rename: + field: threatintel.otx.indicator + target_field: threatintel.indicator.file.hash.sha1 + ignore_missing: true + if: "ctx.threatintel?.otx?.type == 'FileHash-SHA1'" + - rename: + field: threatintel.otx.indicator + target_field: threatintel.indicator.file.hash.sha256 + ignore_missing: true + if: "ctx.threatintel?.otx?.type == 'FileHash-SHA256'" + - rename: + field: threatintel.otx.indicator + target_field: threatintel.indicator.file.hash.pehash + ignore_missing: true + if: "ctx.threatintel?.otx?.type == 'FileHash-PEHASH'" + - rename: + field: threatintel.otx.indicator + target_field: threatintel.indicator.file.hash.imphash + ignore_missing: true + if: "ctx.threatintel?.otx?.type == 'FileHash-IMPHASH'" -##################### -# Threat ECS Fields # -##################### -## File indicator operations -- set: - field: threatintel.indicator.type - value: file - if: "ctx.threatintel?.otx?.type.startsWith('FileHash') || ctx.threatintel?.otx?.type == 'filepath'" -- rename: - field: threatintel.otx.indicator - target_field: threatintel.indicator.file.hash.md5 - ignore_missing: true - if: "ctx.threatintel?.otx?.type == 'FileHash-MD5'" -- rename: - field: threatintel.otx.indicator - target_field: threatintel.indicator.file.hash.sha1 - ignore_missing: true - if: "ctx.threatintel?.otx?.type == 'FileHash-SHA1'" -- rename: - field: threatintel.otx.indicator - target_field: threatintel.indicator.file.hash.sha256 - ignore_missing: true - if: "ctx.threatintel?.otx?.type == 'FileHash-SHA256'" -- rename: - field: threatintel.otx.indicator - target_field: threatintel.indicator.file.hash.pehash - ignore_missing: true - if: "ctx.threatintel?.otx?.type == 'FileHash-PEHASH'" -- rename: - field: threatintel.otx.indicator - target_field: threatintel.indicator.file.hash.imphash - ignore_missing: true - if: "ctx.threatintel?.otx?.type == 'FileHash-IMPHASH'" + ## IP indicator operations + - set: + field: threatintel.indicator.type + value: ipv4-addr + if: ctx.threatintel?.otx?.type == 'IPv4' + - set: + field: threatintel.indicator.type + value: ipv6-addr + if: ctx.threatintel?.otx?.type == 'IPv6' + - rename: + field: threatintel.otx.indicator + target_field: threatintel.indicator.ip + ignore_missing: true + if: "ctx?.threatintel?.indicator?.type != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx?.threatintel?.indicator?.type)" -## IP indicator operations -- set: - field: threatintel.indicator.type - value: ipv4-addr - if: ctx.threatintel?.otx?.type == 'IPv4' -- set: - field: threatintel.indicator.type - value: ipv6-addr - if: ctx.threatintel?.otx?.type == 'IPv6' -- rename: - field: threatintel.otx.indicator - target_field: threatintel.indicator.ip - ignore_missing: true - if: "ctx?.threatintel?.indicator?.type != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx?.threatintel?.indicator?.type)" + ## URL indicator operations + - set: + field: threatintel.indicator.type + value: url + if: "ctx?.threatintel?.indicator?.type == null && ['URL', 'URI'].contains(ctx.threatintel?.otx?.type)" + - uri_parts: + field: threatintel.otx.indicator + target_field: threatintel.indicator.url + keep_original: true + remove_if_successful: true + if: ctx?.threatintel?.indicator?.type == 'url' + - set: + field: threatintel.indicator.url.full + value: "{{{threatintel.indicator.url.original}}}" + ignore_empty_value: true + if: "ctx?.threatintel?.otx?.type == 'URL'" -## URL indicator operations -- set: - field: threatintel.indicator.type - value: url - if: "ctx?.threatintel?.indicator?.type == null && ['URL', 'URI'].contains(ctx.threatintel?.otx?.type)" -- uri_parts: - field: threatintel.otx.indicator - target_field: threatintel.indicator.url - keep_original: true - remove_if_successful: true - if: ctx?.threatintel?.indicator?.type == 'url' -- set: - field: threatintel.indicator.url.full - value: '{{{threatintel.indicator.url.original}}}' - ignore_empty_value: true - if: "ctx?.threatintel?.otx?.type == 'URL'" + ## Email indicator operations + - set: + field: threatintel.indicator.type + value: email-addr + if: ctx?.threatintel?.otx?.type == 'email' + - rename: + field: threatintel.otx.indicator + target_field: threatintel.indicator.email.address + ignore_missing: true + if: "ctx?.threatintel?.indicator?.type == 'email-addr'" -## Email indicator operations -- set: - field: threatintel.indicator.type - value: email-addr - if: ctx?.threatintel?.otx?.type == 'email' -- rename: - field: threatintel.otx.indicator - target_field: threatintel.indicator.email.address - ignore_missing: true - if: "ctx?.threatintel?.indicator?.type == 'email-addr'" + ## Domain indicator operations + - set: + field: threatintel.indicator.type + value: domain-name + if: "ctx?.threatintel?.indicator?.type == null && ['domain', 'hostname'].contains(ctx.threatintel?.otx?.type)" + - rename: + field: threatintel.otx.indicator + target_field: threatintel.indicator.url.domain + ignore_missing: true + if: "ctx?.threatintel?.indicator?.type == 'domain-name' && ctx.threatintel?.indicator?.url?.domain == null" -## Domain indicator operations -- set: - field: threatintel.indicator.type - value: domain-name - if: "ctx?.threatintel?.indicator?.type == null && ['domain', 'hostname'].contains(ctx.threatintel?.otx?.type)" -- rename: - field: threatintel.otx.indicator - target_field: threatintel.indicator.url.domain - ignore_missing: true - if: "ctx?.threatintel?.indicator?.type == 'domain-name' && ctx.threatintel?.indicator?.url?.domain == null" - -###################### -# Cleanup processors # -###################### -- set: - field: threatintel.indicator.type - value: unknown - if: ctx?.threatintel?.indicator?.type == null -- script: - lang: painless - if: ctx?.threatintel != null - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null); - } - void handleList(List list) { - for (def x : list) { + ###################### + # Cleanup processors # + ###################### + - set: + field: threatintel.indicator.type + value: unknown + if: ctx?.threatintel?.indicator?.type == null + - script: + lang: painless + if: ctx?.threatintel != null + source: | + void handleMap(Map map) { + for (def x : map.values()) { if (x instanceof Map) { handleMap(x); } else if (x instanceof List) { handleList(x); } + } + map.values().removeIf(v -> v == null); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } } - } - handleMap(ctx); -- remove: - field: - - threatintel.otx.content - ignore_missing: true - if: ctx?.threatintel?.otx?.content == "" -- remove: - field: - - threatintel.otx.type - - threatintel.otx.id - - message - ignore_missing: true - if: ctx?.threatintel?.indicator?.type != null + handleMap(ctx); + - remove: + field: + - threatintel.otx.content + ignore_missing: true + if: ctx?.threatintel?.otx?.content == "" + - remove: + field: + - threatintel.otx.type + - threatintel.otx.id + - message + ignore_missing: true + if: ctx?.threatintel?.indicator?.type != null on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/recordedfuture/ingest/pipeline.yml index 318f74d53a63..8e0a6d4b3343 100644 --- a/x-pack/filebeat/module/threatintel/recordedfuture/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/recordedfuture/ingest/pipeline.yml @@ -5,15 +5,15 @@ processors: # that the ones generated by Filebeat's httpjson input. # - fail: - if: 'ctx.json == null || !(ctx.json instanceof Map)' - message: 'missing json object in input document' + if: "ctx.json == null || !(ctx.json instanceof Map)" + message: "missing json object in input document" # # Set basic ECS fields. # - set: field: event.ingested - value: '{{{ _ingest.timestamp }}}' + value: "{{{ _ingest.timestamp }}}" - set: field: event.kind value: enrichment @@ -29,7 +29,7 @@ processors: # - script: lang: painless - if: 'ctx.json.entity?.type != null' + if: "ctx.json.entity?.type != null" description: > Map entity.type field to STIX 2.0 Cyber Observable values (threatintel.indicator.type). params: @@ -68,7 +68,7 @@ processors: target_field: threatintel.indicator.first_seen formats: - ISO8601 - if: 'ctx.json.timestamps?.firstSeen != null' + if: "ctx.json.timestamps?.firstSeen != null" on_failure: - append: field: error.message @@ -78,13 +78,12 @@ processors: target_field: threatintel.indicator.last_seen formats: - ISO8601 - if: 'ctx.json.timestamps?.lastSeen != null' + if: "ctx.json.timestamps?.lastSeen != null" on_failure: - append: field: error.message value: 'Error parsing lastSeen field value "{{{ json.timestamps.lastSeen }}}": {{{ _ingest.on_failure_message }}}' - # # Map location fields. # @@ -103,51 +102,45 @@ processors: - grok: field: json.location.asn patterns: - - '^(?:[Aa][Ss])?%{NUMBER:threatintel.indicator.as.number:long}$' + - "^(?:[Aa][Ss])?%{NUMBER:threatintel.indicator.as.number:long}$" ignore_missing: true on_failure: - append: field: error.message - value: 'Cannot parse asn field `{{{ json.location.asn }}}`: {{{ _ingest.on_failure_message }}}' - + value: "Cannot parse asn field `{{{ json.location.asn }}}`: {{{ _ingest.on_failure_message }}}" - rename: field: json.location.organization target_field: threatintel.indicator.as.organization.name ignore_missing: true - - set: field: threatintel.indicator.reference - value: '{{{ json.intelCard }}}' + value: "{{{ json.intelCard }}}" ignore_empty_value: true - - set: field: json.ip_range - value: '{{{json.entity.name}}}' + value: "{{{json.entity.name}}}" if: 'ctx.json.entity?.type == "IpAddress" && ctx.json.entity.name != null && ctx.json.entity.name.contains("/")' - set: field: json.ip_range - value: '{{{ json.entity.name }}}/32' + value: "{{{ json.entity.name }}}/32" if: 'ctx.threatintel?.indicator?.type == "ipv4-addr" && ctx.json.entity.name != null && !ctx.json.entity.name.contains("/")' - set: field: json.ip_range - value: '{{{ json.entity.name }}}/128' + value: "{{{ json.entity.name }}}/128" if: 'ctx.threatintel?.indicator?.type == "ipv6-addr" && ctx.json.entity.name != null && !ctx.json.entity.name.contains("/")' - set: field: json.ip_range - value: '{{{json.entity.name}}}' + value: "{{{json.entity.name}}}" if: 'ctx.json.entity?.type == "IpAddress" && ctx.json.entity.name != null && ctx.json.entity.name.contains("/")' - - rename: field: json.entity.name target_field: threatintel.indicator.ip if: 'ctx.json.entity?.type == "IpAddress" && ctx.json.entity.name != null && !ctx.json.entity.name.contains("/")' - - rename: field: json.entity.name target_field: threatintel.indicator.url.domain ignore_missing: true if: 'ctx.threatintel?.indicator?.type == "domain-name" && ctx.threatintel?.indicator?.url?.domain == null' - - uri_parts: field: json.entity.name target_field: threatintel.indicator.url @@ -157,30 +150,28 @@ processors: on_failure: - append: field: error.message - value: 'Cannot parse url field `{{{ json.entity.name }}}`: {{{ _ingest.on_failure_message }}}' + value: "Cannot parse url field `{{{ json.entity.name }}}`: {{{ _ingest.on_failure_message }}}" # At this point fileHashes may exist if "fileHashes" field is requested. - append: field: json.fileHashes - value: '{{{ json.entity.name }}}' + value: "{{{ json.entity.name }}}" allow_duplicates: false if: 'ctx.threatintel?.indicator?.type == "file"' - - remove: field: json.entity.name if: 'ctx.threatintel?.indicator?.type == "file"' - - script: lang: painless description: > Map file hashes. - if: 'ctx.json.fileHashes != null' + if: "ctx.json.fileHashes != null" params: - '4': crc32 - '32': md5 - '40': sha1 - '64': sha256 - '128': sha512 + "4": crc32 + "32": md5 + "40": sha1 + "64": sha256 + "128": sha512 source: > def hashes = new HashMap(); for (def hash : ctx.json.fileHashes) { @@ -193,8 +184,7 @@ processors: on_failure: - append: field: error.message - value: 'Failed to map fileHashes field: {{ _ingest.on_failure_message }}' - + value: "Failed to map fileHashes field: {{ _ingest.on_failure_message }}" - rename: field: _hashes target_field: threatintel.indicator.file.hash @@ -211,7 +201,7 @@ processors: on_failure: - append: field: error.message - value: 'Risk score `{{{ json.risk.score }}}` cannot be converted to float: {{ _ingest.on_failure_message }}' + value: "Risk score `{{{ json.risk.score }}}` cannot be converted to float: {{ _ingest.on_failure_message }}" # # Remove fields converted to an ECS field. # @@ -222,15 +212,13 @@ processors: - json.fileHashes - message ignore_missing: true - # # Save fields without an ECS mapping under `threatintel.recordedfuture`. # - rename: field: json target_field: threatintel.recordedfuture - on_failure: - append: field: error.message - value: '{{ _ingest.on_failure_message }}' + value: "{{ _ingest.on_failure_message }}"