Filebeat ThreatIntel MISP Module

Elastic Stack Beats
1

Hi,

I'm getting this error while trying to use the misp threat intel module:
[input.httpjson-cursor] v2/request.go:186 error processing response: the requested root field is empty {"input_source": "https://X.X.X.X/events/restSearch/", "input_url": "https://X.X.X.X/events/restSearch/"}

This is the config in filebeat.yml:

filebeat.modules:
    - module: threatintel
  abuseurl.enabled: false
  abusemalware.enabled: false
  malwarebazaar.enabled: false
  anomali.enabled: false
  otx.enabled: false
  misp:
    enabled: true
    var.input: httpjson
    var.url: "https://X.X.X.X/events/restSearch"
    var.api_token: APIKEY
    var.ssl.verification_mode: none
    var.filters:
      - type: ["md5", "sha256", "url", "ip-src", "ip-dst", "domain"]
    var.first_interval: 72h
    var.interval: 60m

Any idea what causes it?

2

Hello @AndreiRD . I added an answer to a similar question here, hope this helps! :slight_smile:

3

Thanks Marius!
I managed to make the misp part work by directly configuring the /etc/filebeat/modules.d/threatintel.yml.disabled and then run filebeat modules enable threatintel . Though, if I use the filtering part, the filebeat service fails to start.
Work in progress...

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.