Filebeat ThreatIntel MISP Module

AndreiRD · May 26, 2021, 7:21am

Hi,

I'm getting this error while trying to use the misp threat intel module:
[input.httpjson-cursor] v2/request.go:186 error processing response: the requested root field is empty {"input_source": "https://X.X.X.X/events/restSearch/", "input_url": "https://X.X.X.X/events/restSearch/"}

This is the config in filebeat.yml:

filebeat.modules:
    - module: threatintel
  abuseurl.enabled: false
  abusemalware.enabled: false
  malwarebazaar.enabled: false
  anomali.enabled: false
  otx.enabled: false
  misp:
    enabled: true
    var.input: httpjson
    var.url: "https://X.X.X.X/events/restSearch"
    var.api_token: APIKEY
    var.ssl.verification_mode: none
    var.filters:
      - type: ["md5", "sha256", "url", "ip-src", "ip-dst", "domain"]
    var.first_interval: 72h
    var.interval: 60m

Any idea what causes it?

Marius_Iversen · May 26, 2021, 8:55pm

Hello @AndreiRD . I added an answer to a similar question here, hope this helps!

AndreiRD · May 28, 2021, 7:24am

Thanks Marius!
I managed to make the misp part work by directly configuring the /etc/filebeat/modules.d/threatintel.yml.disabled and then run filebeat modules enable threatintel . Though, if I use the filtering part, the filebeat service fails to start.
Work in progress...

system · June 25, 2021, 9:25am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.