Filebeat Client talking to googleusercontent

Hi there,

I just noticed that the filebeat agents installed on the clients are talking quite frequently to 34.111.17.235 (235.17.111.34.bc.googleusercontent.com). Is it possible to configure the agents not to do that without having to block the traffic?

Kind regards

Drops


What do you have configured in your filebeat? Which modules did you enable?

Did you enable any threat intel modules, like the Abuse.ch module?

The IP address you shared is the endpoint for the Malwarebazer API of Abuse.ch, this is used by the threat intel module.

- module: threatintel
  malwarebazaar:
    enabled: true
    var.input: httpjson
    var.url: https://mb-api.abuse.ch/api/v1/
    var.interval: 10m
$ dig @8.8.8.8 mb-api.abuse.ch

; <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> @8.8.8.8 mb-api.abuse.ch
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27000
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;mb-api.abuse.ch.		IN	A

;; ANSWER SECTION:
mb-api.abuse.ch.	181	IN	A	34.111.17.235

thnx a lot, didnt think of that.