Filebeat Threat Intel module, multiple Anomali filesets

Rob3 · February 21, 2022, 1:25pm

How can multiple Anomali filsets be enabled?

For example, if I want to enable both collections 135 and 136 as per below, seems that the last read wins and only collection 136 will be configured.

Is this possible? Can't find anything in the documentation.

        anomali:
          enabled: true
          var.input: httpjson
          var.url: https://limo.anomali.com/api/v1/taxii2/feeds/collections/135/objects?match[type]=indicator
          var.username: guest
          var.password: guest
          var.interval: 60m
        anomali:
          enabled: true
          var.input: httpjson
          var.url: https://limo.anomali.com/api/v1/taxii2/feeds/collections/136/objects?match[type]=indicator
          var.username: guest
          var.password: guest
          var.interval: 60m

legoguy1000 · February 21, 2022, 2:51pm

You'll need multiple Threatintel modules such as below. You can put this in the threatintel.yml file I also recommend adding the other filesets to disable them.

- module: threatintel
  anomali:
          enabled: true
          var.input: httpjson
          var.url: https://limo.anomali.com/api/v1/taxii2/feeds/collections/135/objects?match[type]=indicator
          var.username: guest
          var.password: guest
          var.interval: 60m
- module: threatintel
  anomali:
          enabled: true
          var.input: httpjson
          var.url: https://limo.anomali.com/api/v1/taxii2/feeds/collections/136/objects?match[type]=indicator
          var.username: guest
          var.password: guest
          var.interval: 60m

Rob3 · February 21, 2022, 2:55pm

Interesting. Will try this, though I believe I already had, and observed the same behaivour.

I did find some documention of a sort, in the blog post:

Multiple threatintel modules are not specified in that.

legoguy1000 · February 21, 2022, 2:58pm

U definitely need the multiple modules as having a dictionary with duplicate keys will just overwrite first with the second.

Rob3 · February 21, 2022, 3:00pm

Thats exactly what looks like is happening. Unfortunately it seems to happen with multiple threatintel modules as well. Given the below configs, I only ever see collection 136 in the logs.

      - module: threatintel
        anomali:
          enabled: true
          var.input: httpjson
          var.url: https://limo.anomali.com/api/v1/taxii2/feeds/collections/135/objects
          var.username: guest
          var.password: guest
          var.interval: 60m
      - module: threatintel
        anomali:
          enabled: true
          var.input: httpjson
          var.url: https://limo.anomali.com/api/v1/taxii2/feeds/collections/136/objects
          var.username: guest
          var.password: guest
          var.interval: 60m

legoguy1000 · February 21, 2022, 3:13pm

Where are u defining this config? In the filebeat.yml or the the threatintel.yml? There was a bug that was just fixed when defining duplicate modules in the filebeat.yml that caused what you're seeing. Try in the threatintel.yml

Rob3 · February 21, 2022, 5:04pm

Thanks! That sounds like it will be the issue. This is a deployment into kubernetes and the helm chart defines the configs in filebeat.yml.

Got a link to the bug issue handy?

legoguy1000 · February 21, 2022, 5:20pm

[Filebeat] Fix multiple modules in filebeat.yml by legoguy1000 · Pull Request #29952 · elastic/beats · GitHub is the PR that fixed it. I think it will be in 8.1

system · March 21, 2022, 7:20pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.