Hello community. I am having big issue right now.
I have Integrated Fortigate and Elastic. Then attempted to integrate MISP to Elastic. Integration was well till [Logs MISP] Dashboard was thinking Total Indicators count is actually fortigate logs.( screenshot 1)
When I click to “explore in discover”, it redirected me to Fortigate logs (screenshot 2)
My main mission is match the fortigate destination Ips with MISP’s feed database.
Hi 
4l13v
I think what you’re seeing is probably caused by the MISP dashboard querying the wrong data view, not because FortiGate logs are actually becoming MISP indicators.
The [Logs MISP] dashboard is built to work only with MISP indicator documents.
In your case, the dashboard’s data view/index pattern probably includes FortiGate indices (for example something like logs-*).
Because of that:
The “Total Indicators” visualization is counting FortiGate log events.
Clicking “Explore in Discover” correctly opens Discover, but shows FortiGate logs, since those are part of the same data view.
So I don’t really think that the dashboard is broken — it’s probably just not filtered to MISP data only.
Data View used by the MISP dashboard
Go to Stack Management → Data Views
Find the data view used by the MISP dashboard
Make sure it only includes MISP indices/data streams, for example:
logs-ti_misp.*
Avoid broad patterns like:
logs-*
Event filtering
MISP documents should have fields like:
event.module: ti_misp
threat.indicator.*
FortiGate logs usually have:
event.module: fortinetThe dashboard visualizations should filter on the MISP module/dataset.
Elastic does not automatically match FortiGate destination IPs with MISP feeds just by ingesting both.
To achieve that, you need one of the following:
Indicator Match detection rule
(Security → Rules → Indicator Match)
Match destination.ip from FortiGate logs
Against threat.indicator.ip from MISP
or
Threat Intel enrichment / enrich policy
Until one of these is configured, FortiGate logs and MISP indicators will remain separate datasets.
The MISP dashboard is likely counting FortiGate logs because of a shared data view
Its possible to fix the index pattern / filters so it only targets MISP data
Use Indicator Match rules or enrichment to correlate FortiGate IPs with MISP
Hope this helps!
The dashboard is a Managed Dashboard, it is built by Elastic and it is part of the MISP integration, the user has no control over it and cannot edit the visualizations.
I have the same issue:
The visualization configuration is pointing to logs-* without filtering with event.module: ti_misp
So, if a visualization on the MISP dashboard may not show MISP events because it is missing a filter, than I think that the dashboard is broken, it needs to be fixed by Elastic as it is part of an integration.
If you want I can open a Github Issue.
Just opened an issue: [TI_MISP] Dashboard visualization showing data from other datasets and not showing MISP data · Issue #17524 · elastic/integrations · GitHub
Hi Leandro. You’re right, I didnt realize this was a dashboard for a managed integration.
Thanks for creating bug ticket 
. I can see this has been assigned to the Security Integrations teams which would be the team responsible.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
