Skip to content

Commit

Permalink
Improve ECS categorization field mappings in misp module. (elastic#17344
Browse files Browse the repository at this point in the history
)

- event.id
- event.kind
- registry.key if indicator type regkey
- rule.category
- rule.description
- rule.id
- rule.uuid
- user.name if indicator type github-username

Closes elastic#16026
  • Loading branch information
leehinman authored Apr 20, 2020
1 parent 8c9391c commit fee1f15
Show file tree
Hide file tree
Showing 3 changed files with 33 additions and 0 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -262,6 +262,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Add support for Google Application Default Credentials to the Google Pub/Sub input and Google Cloud modules. {pull}15668[15668]
- Enhance `elasticsearch/deprecation` fileset to handle ECS-compatible logs emitted by Elasticsearch. {issue}17715[17715] {pull}17728[17728]
- Enhance `elasticsearch/slowlog` fileset to handle ECS-compatible logs emitted by Elasticsearch. {issue}17715[17715] {pull}17729[17729]
- Improve ECS categorization field mappings in misp module. {issue}16026[16026] {pull}17344[17344]

*Heartbeat*

Expand Down
8 changes: 8 additions & 0 deletions x-pack/filebeat/module/misp/threat/config/pipeline.js
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ var threat = (function () {
var categorizeEvent = new processor.AddFields({
target: "event",
fields: {
kind: "event",
category: "threat-intel",
type: "indicator",
},
Expand All @@ -24,8 +25,13 @@ var threat = (function () {

var convertFields = new processor.Convert({
fields: [
{ from: "json.Event.id", to: "rule.id" },
{ from: "json.Event.info", to: "misp.threat_indicator.description" },
{ from: "json.Event.info", to: "rule.description" },
{ from: "json.Event.uuid", to: "misp.threat_indicator.id" },
{ from: "json.Event.uuid", to: "rule.uuid" },
{ from: "json.category", to: "rule.category" },
{ from: "json.uuid", to: "event.id" },
],
mode: "rename",
ignore_missing: true,
Expand Down Expand Up @@ -116,6 +122,7 @@ var threat = (function () {
case 'github-username':
attackPattern = '[' + 'user:name = ' + '\'' + v + '\'' + ']';
attackPatternKQL = 'user.name: ' + '"' + v + '"';
evt.Put("user.name", v);
break;
case "hostname":
attackPattern = '[' + 'source:domain = ' + '\'' + v + '\'' + ' OR destination:domain = ' + '\'' + v + '\'' + ']';
Expand Down Expand Up @@ -155,6 +162,7 @@ var threat = (function () {
case 'regkey':
attackPattern = '[' + 'regkey = ' + '\'' + v + '\'' + ']';
attackPatternKQL = 'regkey: ' + '"' + v + '"';
evt.Put("registry.key", v);
break;
case "sha1":
attackPattern = '[' + 'file:hash:sha1 = ' + '\'' + v + '\'' + ']';
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@
"destination.ip": "98.235.162.24",
"event.category": "threat-intel",
"event.dataset": "misp.threat",
"event.id": "5d2cb906-eff4-40f0-9f1d-10eb7d6a0c26",
"event.kind": "event",
"event.module": "misp",
"event.type": "indicator",
"fileset.name": "threat",
Expand All @@ -23,12 +25,18 @@
"misp.threat_indicator.feed": "misp",
"misp.threat_indicator.id": "58dcfe62-ed84-4e5e-b293-4991950d210f",
"misp.threat_indicator.type": "ip-dst",
"rule.category": "Network activity",
"rule.description": "Tor exit nodes feed",
"rule.id": "1",
"rule.uuid": "58dcfe62-ed84-4e5e-b293-4991950d210f",
"service.type": "misp"
},
{
"@timestamp": "2017-03-30T12:54:26.000Z",
"event.category": "threat-intel",
"event.dataset": "misp.threat",
"event.id": "5d159be2-d4b4-4d97-9e14-406a02de0b81",
"event.kind": "event",
"event.module": "misp",
"event.type": "indicator",
"file.hash.md5": "89357a1b2e32f2b9bddff94b8136810b",
Expand All @@ -42,12 +50,18 @@
"misp.threat_indicator.feed": "misp",
"misp.threat_indicator.id": "5d159be2-d4b4-4d97-9e14-406a02de0b81",
"misp.threat_indicator.type": "md5",
"rule.category": "Payload delivery",
"rule.description": "OSINT - OSX/Linker: New Mac malware attempts zero-day Gatekeeper bypass",
"rule.id": "1",
"rule.uuid": "5d159be2-d4b4-4d97-9e14-406a02de0b81",
"service.type": "misp"
},
{
"@timestamp": "2017-03-30T12:54:26.000Z",
"event.category": "threat-intel",
"event.dataset": "misp.threat",
"event.id": "5d159be2-d4b4-4d97-9e14-406a02de0b81",
"event.kind": "event",
"event.module": "misp",
"event.type": "indicator",
"file.path": "f6bf5b8bb2400aad4ac844f2b94a4e556907f35b44c5ff462fb4e70c0208c9de",
Expand All @@ -61,12 +75,18 @@
"misp.threat_indicator.feed": "misp",
"misp.threat_indicator.id": "5d159be2-d4b4-4d97-9e14-406a02de0b81",
"misp.threat_indicator.type": "filename",
"rule.category": "Payload delivery",
"rule.description": "OSINT - OSX/Linker: New Mac malware attempts zero-day Gatekeeper bypass",
"rule.id": "1",
"rule.uuid": "5d159be2-d4b4-4d97-9e14-406a02de0b81",
"service.type": "misp"
},
{
"@timestamp": "2017-03-30T12:54:26.000Z",
"event.category": "threat-intel",
"event.dataset": "misp.threat",
"event.id": "563b3ea6-b26c-401f-a68b-4d84950d210b",
"event.kind": "event",
"event.module": "misp",
"event.type": "indicator",
"fileset.name": "threat",
Expand All @@ -79,6 +99,10 @@
"misp.threat_indicator.feed": "misp",
"misp.threat_indicator.id": "563b3ea6-b26c-401f-a68b-4d84950d210b",
"misp.threat_indicator.type": "domain",
"rule.category": "Bad Domain",
"rule.description": "OSINT Expansion on Systematic cyber attacks against Israeli and Palestinian targets going on for a year by Norman",
"rule.id": "4",
"rule.uuid": "563b3ea6-b26c-401f-a68b-4d84950d210b",
"service.type": "misp"
}
]

0 comments on commit fee1f15

Please sign in to comment.