Filebeat ThreatIntel MISP Module

AndreiRD · May 26, 2021, 7:21am

Hi,

I'm getting this error while trying to use the misp threat intel module:
[input.httpjson-cursor] v2/request.go:186 error processing response: the requested root field is empty {"input_source": "https://X.X.X.X/events/restSearch/", "input_url": "https://X.X.X.X/events/restSearch/"}

This is the config in filebeat.yml:

filebeat.modules:
    - module: threatintel
  abuseurl.enabled: false
  abusemalware.enabled: false
  malwarebazaar.enabled: false
  anomali.enabled: false
  otx.enabled: false
  misp:
    enabled: true
    var.input: httpjson
    var.url: "https://X.X.X.X/events/restSearch"
    var.api_token: APIKEY
    var.ssl.verification_mode: none
    var.filters:
      - type: ["md5", "sha256", "url", "ip-src", "ip-dst", "domain"]
    var.first_interval: 72h
    var.interval: 60m

Any idea what causes it?

Marius_Iversen · May 26, 2021, 8:55pm

Hello @AndreiRD . I added an answer to a similar question here, hope this helps!

AndreiRD · May 28, 2021, 7:24am

Thanks Marius!
I managed to make the misp part work by directly configuring the /etc/filebeat/modules.d/threatintel.yml.disabled and then run filebeat modules enable threatintel . Though, if I use the filtering part, the filebeat service fails to start.
Work in progress...

Topic		Replies	Views
Threatintel anomali error: the requested root field is empty Beats filebeat	8	990	June 25, 2021
[threatintel Filebeat module] MISP configuration errors with filebeat threatintel module Beats beats-module , filebeat	4	1088	July 28, 2021
Filebeat Threat Intel Module Errors Beats painless , beats-module , filebeat , ingest-pipeline	3	845	December 17, 2022
Integration Misp using Filebeat Beats filebeat	5	554	June 17, 2022
Threat Intel Problems Beats filebeat	1	225	September 21, 2022

Filebeat ThreatIntel MISP Module

Related topics